Anatomy of native IIS malware

Anatomy of native IIS malware

ESET researchers publish a white paper placing IIS net server threats below the microscope

ESET researchers have found a set of beforehand undocumented malware households, applied as malicious extensions for Web Data Providers (IIS) net server software program. Concentrating on each authorities mailboxes and e-commerce transactions, in addition to aiding in malware distribution, this numerous class of threats operates by eavesdropping on and tampering with the server’s communications.

Together with an entire breakdown of the newly found households, our new paper, Anatomy of native IIS malware, offers a complete information to assist fellow safety researchers and defenders detect, dissect and mitigate this class of server-side threats. On this blogpost, we summarize the findings of the white paper.

As we speak, we’re additionally launching a collection of blogposts the place we introduce essentially the most notable of the newly found IIS malware households, as case research of how this sort of malware is used for cybercrime, cyberespionage and search engine optimization fraud.

The findings of our IIS malware analysis have been first introduced at Black Hat USA 2021 and also will be shared with the group on the Virus Bulletin 2021 convention on October 8th.

IIS is Microsoft Home windows net server software program with an extensible, modular structure that, since v7.0, helps two sorts of extensions – native (C++ DLL) and managed (.NET meeting) modules. Specializing in malicious native IIS modules, we’ve discovered over 80 distinctive samples used within the wild and categorized them into 14 malware households – 10 of which have been beforehand undocumented. ESET safety options detect these households as Win32,64/BadIIS and Win32,64/Spy.IISniff.

How IIS malware operates

IIS malware is a various class of threats used for cybercrime, cyberespionage, and search engine optimization fraud – however in all instances, its foremost objective is to intercept HTTP requests incoming to the compromised IIS server and have an effect on how the server responds to (a few of) these requests.

With the default set up, IIS itself is persistent, so there isn’t a want for extension-based IIS malware to implement further persistence mechanisms. As soon as configured as an IIS extension, the malicious IIS module is loaded by the IIS Employee Course of (w3wp.exe), which handles requests despatched to the server – that is the place IIS malware can intervene with the request processing.

We recognized 5 foremost modes wherein IIS malware operates, as illustrated in Determine 1:

  • IIS backdoors permit their operators to remotely management the compromised laptop with IIS put in
  • IIS infostealers permit their operators to intercept common site visitors between the compromised server and its authentic guests, to steal info comparable to login credentials and cost info. Utilizing HTTPS doesn’t stop this assault, as IIS malware can entry all information dealt with by the server – which is the place the info is processed in its unencrypted state.
  • IIS injectors modify HTTP responses despatched to authentic guests to serve malicious content material
  • IIS proxies flip the compromised server into an unwitting a part of the C&C infrastructure for an additional malware household, and misuse the IIS server to relay communication between victims of that malware and the actual C&C server
  • search engine optimization fraud IIS malware modifies the content material served to search engines like google and yahoo to govern SERP algorithms and enhance the rating for different web sites of curiosity to the attackers

Determine 1. Overview of IIS malware mechanisms

All of those malware sorts are mentioned at size within the paper.

How (and the place) it spreads

Native IIS modules have unrestricted entry to any useful resource obtainable to the server employee course of – thus, administrative rights are required to put in native IIS malware. This significantly narrows down the choices for the preliminary assault vector. We have now seen proof for 2 situations:

  • IIS malware spreading as a trojanized model of a authentic IIS module
  • IIS malware spreading via server exploitation

For instance, between March and June 2021, we detected a wave of IIS backdoors unfold by way of the Microsoft Change pre-authentication RCE vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), aka ProxyLogon. Focused particularly have been Change servers which have Outlook on the net (aka OWA) enabled – as IIS is used to implement OWA, these have been a very attention-grabbing goal for espionage.

After our colleagues reported the primary such case in March 2021, we’ve detected 4 extra campaigns of varied IIS backdoors spreading to Microsoft Change servers via the identical vulnerability. To enhance our telemetry, we’ve carried out internet-wide scans to detect the presence of those backdoors, which allowed us to determine and notify different victims of the malware.

Determine 2 reveals the geographical places of servers affected by these 5 campaigns, utilizing information from our telemetry and internet-wide scans.

Figure 2. Victims of native IIS backdoors spread via the ProxyLogon vulnerability chain

Determine 2. Victims of native IIS backdoors unfold by way of the ProxyLogon vulnerability chain

The next entities have been among the many victims:

  • Authorities establishments in three nations in Southeast Asia
  • A significant telecommunications firm in Cambodia
  • A analysis establishment in Vietnam
  • Dozens of personal corporations in a spread of industries, situated largely in Canada, Vietnam and India, and others within the USA, New Zealand, South Korea, and different nations

Be aware that whereas IIS backdoors could also be well-suited for spying on high-profile mailboxes, victims of IIS malware should not restricted to compromised servers – all authentic guests of the web sites hosted by these servers are potential targets, because the malware can be utilized to steal delicate information from the guests (IIS infostealers) or serve malicious content material (IIS injectors). Please seek advice from the total white paper for the main points on the targets of the opposite analyzed IIS households.

The insides of native IIS malware

From the technical perspective, all sorts of native IIS malware are applied as dynamic-link libraries (DLLs), written utilizing the IIS C++ API. Any such DLL should:

  • Implement a category inherited from both the CHttpModule or CGlobalModule class (or each), and override a variety of that class’s strategies (occasion handlers)
  • Export the RegisterModule operate, which is the library entry level, chargeable for creating the situations of those lessons and registering the applied handlers for server occasions, as illustrated in Determine 3.
Figure 3. A typical RegisterModule function of native IIS malware

Determine 3. A typical RegisterModule operate of native IIS malware

Server occasions seek advice from the steps that the IIS server takes throughout request processing (see Determine 4), but additionally to different actions taken by the server (for instance, sending an HTTP response). These occasions generate occasion notifications, that are dealt with by occasion handlers applied within the server’s modules (see Determine 5).

Figure 4. HTTP request-processing pipeline in IIS

Determine 4. HTTP request-processing pipeline in IIS

Briefly, the occasion handlers (or the strategies of IIS module core lessons) are the place the IIS malware performance is applied and the place any reverse engineers ought to focus their evaluation. For a deep dive into IIS malware necessities and tips on how to analyze such binaries, seek advice from the Anatomy of native IIS malware part of our white paper.

Determine 5. Occasion handlers: strategies of the module lessons, CHttpModule and CGlobalModule

Community communication

A notable characteristic of IIS malware is the way it communicates with its operators. Malicious IIS modules, particularly IIS backdoors, don’t normally create new connections to their C&C servers. They work as passive implants, permitting the attackers to manage them by offering some “secret” in an HTTP request despatched to the compromised IIS net server. That’s why IIS backdoors normally have a mechanism to acknowledge attacker requests which can be used to manage the server and have a predefined construction, comparable to:

  • URL or request physique matching a selected regex
  • A particular customized HTTP header current
  • An embedded token (within the URL, request physique or one of many headers) matching a hardcoded password
  • A hash worth of an embedded token matching a hardcoded worth
  • A extra complicated situation – for instance, a relationship between the entire above
Figure 6. Passive C&C communication channel (IIS backdoors)

Determine 6. Passive C&C communication channel (IIS backdoors)

Alternatively, some IIS malware classes do implement an alternate C&C channel – utilizing protocols comparable to HTTP or DNS – to acquire the present configuration on the fly. For instance, an IIS injector contacts its C&C server each time there’s a new request from a authentic customer of the compromised web site, and makes use of the server response to change the content material served to that customer (comparable to malicious code or adware).

Figure 7. Alternative C&C communication mechanism (IIS injectors)

Determine 7. Various C&C communication mechanism (IIS injectors)

Desk 1 summarizes how the C&C channels, in addition to different notable methods, are applied by the 14 analyzed IIS malware households.

Desk 1. Abstract of obfuscations applied, and functionalities supported by analyzed IIS malware households

Group #
C&C channel
Detection evasion and obfuscation methods
Backdoor Infostealer Proxy search engine optimization fraud Injector Attacker request verification (e.g. particular header current, particular URI, question string parameter) Encryption/
Various channel protocol
Group 1 HTTP header with hardcoded password base64
Group 2 HTTP header with hardcoded password RSA + AES-CBC
Group 3 HTTP header current base64
Group 4 HTTP header with hardcoded password XOR + base64 Anti-logging
Group 5 URI and HTTP header with hardcoded password String stacking
Group 6 Question string parameter
Group 7 Relationship between HTTP headers, HTTP physique format AES-CBC Anti-logging
Group 8 HTTP header with hardcoded password
Group 9 No help for attacker requests HTTP Encrypted strings (XOR 0x56)
Group 10 No help for attacker requests HTTP to acquire JavaScript config
Group 11 HTTP header with hardcoded password DNS TXT to acquire config, HTTP for C&C String encryption (ADD 0x02)
Group 12, variant A HTTP header with password whose MD5 hash is hardcoded HTTP String encryption (ADD 0x01)
Group 12, variant B HTTP UPX packing
Group 12, variant C No help for attacker requests HTTP String encryption (XOR 0x0C)
Group 13 Question string parameter HTTP
Group 14 No help for attacker requests HTTP


Since native IIS modules can solely be put in with administrative privileges, the attackers first must receive elevated entry to the IIS server. The next suggestions may assist make their work tougher:

  • Use devoted accounts with sturdy, distinctive passwords for the administration of the IIS server. Require multifactor authentication (MFA) for these accounts. Monitor the utilization of those accounts.
  • Commonly patch your OS, and punctiliously contemplate which providers are uncovered to the web, to scale back the danger of server exploitation.
  • Think about using an internet utility firewall, and/or endpoint safety answer in your IIS server.
  • Native IIS modules have unrestricted entry to any useful resource obtainable to the server employee course of; you must solely set up native IIS modules from trusted sources to keep away from downloading their trojanized variations. Be particularly conscious of modules promising too-good-to-be-true options comparable to magically bettering search engine optimization.
  • Commonly examine the IIS server configuration to confirm that every one the put in native modules are authentic (signed by a trusted supplier, or put in on objective).

For particulars on tips on how to detect and take away IIS malware, seek advice from the Mitigation part of the white paper. We’re additionally publishing a set of YARA guidelines which you could leverage to detect all of the 14 analyzed IIS malware households.


Web Data Providers net servers have been focused by varied malicious actors, for cybercrime and cyberespionage alike. The software program’s modular structure, designed to supply extensibility for net builders, is usually a useful gizmo for attackers to develop into part of the IIS server, and intercept or modify its site visitors.

It’s nonetheless fairly uncommon for endpoint (and different) safety software program to run on IIS servers, which makes it straightforward for attackers to function unnoticed for lengthy intervals of time. This ought to be disturbing for all severe net portals that wish to defend their guests’ information, together with authentication and cost info. Organizations that use OWA must also concentrate, because it relies on IIS and may very well be an attention-grabbing goal for espionage.

Whereas IIS server threats should not restricted to native IIS malware, we consider this paper will likely be a useful place to begin for defenders for understanding, figuring out, and eradicating IIS threats, and a information to our fellow researchers to reverse engineer this class of threats and perceive their widespread ways, methods and procedures.

Extra technical particulars on the malware and Indicators of Compromise may be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at:

Acknowledgements to fellow ESET malware researchers Marc-Étienne Léveillé and Mathieu Tartare for his or her work on this investigation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts