IISpy: A posh server‑facet backdoor with anti‑forensic options

IISpy: A complex server‑side backdoor with anti‑forensic features

The second in our sequence on IIS threats dissects a malicious IIS extension that employs nifty methods in an try and safe long-term espionage on the compromised servers

ESET researchers have found and analyzed a beforehand undocumented backdoor, applied as an extension for Web Info Companies (IIS), Microsoft’s net server software program. The backdoor, which we named IISpy, makes use of a wide range of methods to intervene with the server’s logging and to evade detection, in an effort to carry out long-term espionage. IISpy is detected by ESET safety options as Win32,64/BadIIS.

This blogpost is the second installment in our sequence the place ESET researchers put IIS net server threats underneath the microscope – the opposite elements talk about IIS malware used for cybercrime and search engine marketing fraud, respectively. For a complete information to how one can detect, analyze and take away IIS malware, confer with our white paper Anatomy of native IIS malware, the place IISpy is featured as one of many studied households (Group 7).

Assault overview

In line with ESET telemetry, this backdoor has been lively since not less than July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET safety options), which is a privilege escalation instrument. We suspect the attackers first get hold of preliminary entry to the IIS server by way of some vulnerability, after which use Juicy Potato to acquire the executive privileges which are required to put in IISpy as a local IIS extension.

In line with our telemetry, IISpy impacts a small variety of IIS servers situated in Canada, the USA and the Netherlands – however that is seemingly not the complete image, as it’s nonetheless widespread for directors to not use any safety software program on servers, and thus our visibility into IIS servers is proscribed.

As a result of IISpy is configured as an IIS extension, it will possibly see all of the HTTP requests acquired by the compromised IIS server, and form the HTTP response that the server will reply with. IISpy makes use of this channel to implement its C&C communication, which permits it to function as a passive community implant. As proven in Determine 1, the operator (not the backdoor) initiates the connection by sending a particular HTTP request to the compromised server. The backdoor acknowledges the attacker request, extracts and executes the embedded backdoor instructions, and modifies the HTTP response to incorporate the command output.

The next backdoor instructions are supported:

  • Get system data
  • Add/obtain information
  • Execute information or shell instructions
  • Create a reverse shell
  • Create/checklist/transfer/rename/delete information and folders
  • Create a mapping between an area and a distant drive
  • Exfiltrate collected information

IISpy ignores all different HTTP requests despatched to the compromised IIS server by its authentic guests – in fact, these are nonetheless dealt with by the benign server modules.

Determine 1. IISpy backdoor management mechanism

Community communication

The management requests from IISpy’s operators have a predefined construction, with a particular (hidden) relationship between the Cookie and Host headers, and the URL. To establish such requests, IISpy first computes the MD5 hash of each the URL and Host header of an inbound HTTP request, and splits every MD5 into 4 double phrases:

  • <h0><h1><h2><h3> = md5(Host Header worth)
  • <r0><r1><r2><r3> = md5(Uncooked URL worth)

Then, it verifies that the Cookie header comprises a substring constructed from these values:

  • <r1><h2>=<h3><r2><r3><r0><h0><h1>

Determine 2 illustrates how this substring is assembled. Backdoor instructions are embedded within the HTTP physique, AES‑CBC encrypted and base64 encoded.

Figure 2. IISpy control HTTP request format

Determine 2. IISpy management HTTP request format

Notice that this construction of management requests is exclusive to IISpy: all the opposite recognized IIS backdoors (that we have now documented in our white paper Anatomy of native IIS malware) are managed by hardcoded passwords, particular URIs or {custom} HTTP headers. Versus these “secrets and techniques”, IISpy’s management requests are harder to fingerprint and discover in logs, which is an try and maintain its C&C communication unnoticed.

One other such trick is used for the opposite facet of the communication: IISpy embeds its encrypted and encoded response inside a faux PNG picture, between the PNG file headers as a TEXT or BLOB chunk. To answer to a management HTTP request, IISpy replaces the unique HTTP response physique (despatched by the IIS server) with the faux PNG file, and units the Content material-Sort header to picture/png to present extra credibility to this charade.

Either side of the C&C communication are AES-CBC encrypted and base64 encoded, utilizing these parameters:

  • Encryption key: DA1F8BE19D9122F6499D72B90299CAB080E9D599C57E802CD667BF53CCC9EAB2
  • IV: 668EDC2D7ED614BF8F69FF614957EF83EE

Technical evaluation

From the technical standpoint, IISpy is applied as a local IIS module – a C++ DLL deployed within the %windirpercentsystem32inetsrv or the %windirpercentSysWOW64inetsrv folder on the compromised IIS server, underneath the identify cache.dll or logging.dll.

IISpy is configured as an IIS extension within the %windirpercentsystem32inetsrvconfigApplicationHost.config configuration file, and so it’s loaded routinely by the IIS Employee Course of (w3wp.exe), which handles all requests despatched to the IIS net server. So far as execution and persistence goes, configuring IISpy as an IIS module itself checks all of the packing containers – all that’s left to implement contained in the malicious module is the precise request processing (and as a bonus, a couple of anti-detection and anti-forensic methods). We cowl each on this part.

Module design

IISpy is written utilizing the IIS C++ API, and makes use of situations of IHttpContext, IHttpRequest and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.

As required by all native IIS modules, it exports a perform known as RegisterModule, the place it creates an occasion of its core courses and registers their strategies for server occasions utilizing the IHttpModuleRegistrationInfo::SetRequestNotifications technique, as proven in Determine 3.

Figure 3. IISpy's RegisterModule export

Determine 3. IISpy’s RegisterModule export

IISpy’s core class is inherited from CHttpModule and, as seen in Determine 4, overrides three of its strategies – occasion handlers for the server occasions:

  • OnBeginRequest is named each time the server begins processing a brand new HTTP request, and IISpy makes use of this handler to parse it in quest of attacker requests
  • OnEndRequest, known as with the final step throughout the HTTP request-processing pipeline, implements IISpy’s backdoor interpreter
  • OnLogRequest, known as proper earlier than the IIS server logs a processed HTTP request, implements IISpy’s anti-logging characteristic

IISpy registers these handlers with the very best precedence (by way of the IHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since a number of IIS modules (malicious and common) may be registered for a similar occasion, this ensures that IISpy’s handler might be executed earlier than another handlers registered for a similar occasion.

Figure 4. IISpy's core class implements three event handlers

Determine 4. IISpy’s core class implements three occasion handlers

Backdoor instructions

In its OnEndRequest handler, IISpy decrypts the HTTP physique of an attacker’s request and extracts its parameters, that are organized as key-value pairs and listed in Desk 1.

Desk 1. IISpy attacker request parameters

Key Worth
/mode Command sort
/motion Command
Command arguments (see Desk 2 for full checklist)
/credential/username Native consumer username, used for impersonation
/credential/password Native consumer password, used for impersonation

If the credentials are current, IISpy makes use of them to log in because the consumer (by way of LogonUserW, ImpersonateLoggedOnUser) to execute the backdoor instructions within the consumer’s context. The backdoor instructions and arguments are additionally organized as nested key-value pairs, as listed in Desk 2.

Desk 2. IISpy backdoor instructions and arguments

Command sort (/mode worth) Command (/motion worth) Arguments (key names) Command description Returned information (map construction or description)
init N/A N/A Collects primary system data: laptop identify and area, username and area, logical drives data. /laptop/area
file checklist /path Collects details about the information within the specified folder. /-
get /path
Downloads the file with the desired identify from the compromised IIS server. The contents of the file, encrypted and embedded inside a faux PNG picture (a PNG header adopted by non-image information).
create /path
Creates a brand new file or listing within the specified path. Non-obligatory /information argument can maintain the file content material. /-
add /path
Uploads a file with the desired identify to the compromised server. The /information entry comprises base64-encoded file content material. /-
delete /path
Deletes the checklist of information/directories within the given path. /information
transfer /path
Copies or renames information from the checklist, from the supply listing to the vacation spot listing. /information
time /path
Modifies file timestamps N/A
drive map /letter
Creates a mapping between an area and a distant drive, utilizing the desired credentials for the community useful resource. N/A
take away /letter Removes an present drive mapping N/A
cmd exec /cmd Executes the desired command, both underneath the context of the present consumer, or the consumer supplied in arguments. Returns the command output. /output

After executing the backdoor command, IISpy encrypts and encodes its return information and makes use of it to change the HTTP response to the attacker’s request. The return information can be organized as key-value pairs, with the entries listed in Desk 2, plus two extra entries primarily based on the GetLastError end result (or {custom} error messages):

  • /error/code
  • /error/message

Anti-logging characteristic

Lastly, IISpy implements the OnLogRequest occasion handler – known as proper earlier than the IIS server logs a processed HTTP request. The backdoor makes use of this handler to change the log entries for requests coming from the attackers to make them appear like informal requests. As proven in Determine 5, these steps are taken:

  • Rewrite the HTTP technique within the request to GET
  • Rewrite the URL from the request to /
  • Delete these headers from the request: Cookie, Origin, Referer, Sec-Fetch-Mode, Sec-Fetch-Website, Content material-Sort, Content material-Size, X-Forwarded-IP, X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto

With the log entries modified this fashion, the attackers try and additional disguise traces of their malicious actions, to make potential forensic evaluation harder.

Figure 5. IISpy modifies log entries for attacker requests

Determine 5. IISpy modifies log entries for attacker requests


IISpy is a fancy server-side backdoor misusing the extensibility of IIS net server software program for its persistence, execution and C&C mechanisms. With its methods to mix in with the common community site visitors, and to clear incriminating logs, it’s designed for long run espionage on compromised IIS servers.

Organizations that deal with delicate information on their servers ought to be looking out, similar to organizations which have the Outlook on the net (OWA) service enabled on their Alternate e-mail servers – OWA is applied by way of IIS, and makes an fascinating goal for espionage. In any case, one of the best ways to maintain IISpy out of your servers is to maintain them updated, and punctiliously think about which companies are uncovered to the web, to scale back the chance of server exploitation.

Further technical particulars on the malware, Indicators of Compromise and YARA guidelines may be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: threatintel@eset.com.

Indicators of Compromise (IoCs)

ESET detection names






MITRE ATT&CK methods

Notice: This desk was constructed utilizing model 9 of the MITRE ATT&CK framework.

Tactic ID Title Description
Useful resource Growth T1587.001 Develop Capabilities: Malware IISpy is a custom-made malware household.
T1588.002 Get hold of Capabilities: Device Operators of IISpy have used Juicy Potato , an area privilege escalation instrument.
Preliminary Entry T1190 Exploit Public-Going through Utility IISpy seemingly obtains its preliminary entry to the IIS server by way of some vulnerability within the net utility or on the server, earlier than it makes use of the privilege escalation instrument Juicy Potato to acquire the executive privileges which are required to put in a local IIS module.
Execution T1059.003 Command and Scripting Interpreter: Home windows Command Shell IISpy helps a backdoor command that makes use of the Home windows command shell to execute shell instructions on the compromised IIS server.
T1569.002 System Companies: Service Execution IIS server (and by extension, IISpy) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IISpy is loaded by IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Privilege Escalation T1068 Exploitation for Privilege Escalation Operators of IISpy have used an area privilege escalation instrument Juicy Potato to raise privileges.
Protection Evasion T1134.001 Entry Token Manipulation: Token Impersonation/Theft IISpy has the power to execute backdoor instructions in one other consumer’s context (by way of LogonUserW, ImpersonateLoggedOnUser).
T1070 Indicator Removing on Host IISpy has the power to sanitize logging of attacker requests on the IIS server.
T1070.006 Indicator Removing on Host: Timestomp IISpy helps a backdoor command to change file timestamps.
Assortment T1005 Information from Native System IISpy helps a backdoor command to gather and exfiltrate information from the compromised IIS server.
Command and Management T1071.001 Utility Layer Protocol: Net Protocols IISpy is a passive community implant: Adversaries ship HTTP requests to the compromised IIS server to manage the backdoor.
T1001 Information Obfuscation IISpy operators ship instructions with a specifically constructed mixture of URLs, Host headers and cookies.
IISpy exfiltrates information in a faux PNG file (a PNG header adopted by non-image information), in an try and make its C&C site visitors appear like common community site visitors.
T1132.001 Information Encoding: Commonplace Encoding IISpy encodes the C&C communication with base64 encoding.
T1573.001 Encrypted Channel: Symmetric Cryptography IISpy makes use of AES-CBC to encrypt C&C communication.
T1105 Ingress Device Switch IISpy helps a backdoor command to add extra instruments to the compromised IIS server.
Exfiltration T1041 Exfiltration Over C2 Channel IISpy helps a backdoor command to exfiltrate information and information from the compromised IIS server.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts