IIStealer: A server‑facet menace to e‑commerce transactions

IIStealer: A server‑side threat to e‑commerce transactions

The primary in our sequence on IIS threats appears to be like at a malicious IIS extension that intercepts server transactions to steal bank card data

ESET researchers have found and analyzed a beforehand undocumented trojan that steals cost data from e-commerce web sites’ prospects. The trojan, which we named IIStealer, is detected by ESET safety options as Win64/BadIIS.

This blogpost is the primary installment in our sequence the place ESET researchers put IIS internet server threats beneath the microscope, with the opposite two elements discussing IIS malware used for cyberespionage and search engine optimization fraud, respectively. For a complete information to the best way to detect, analyze and take away IIS malware, check with our white paper Anatomy of native IIS malware, the place IIStealer is featured as one of many studied households (Group 5).

Assault overview

IIStealer is applied as a malicious extension for Web Data Providers (IIS), Microsoft internet server software program. Being part of the server, IIStealer is ready to entry all of the community communication flowing by means of the server and steal information of curiosity to the attackers – on this case, cost data from e-commerce transactions.

As illustrated in Determine 1, IIStealer operates by intercepting common visitors between the compromised server and its purchasers (the vendor and the consumers), focusing on HTTP POST requests made to particular URI paths: /checkout/checkout.aspx or /checkout/Fee.aspx.

Each time a respectable web site customer makes a request to those checkout pages (1), IIStealer logs the HTTP request physique right into a log file (2), with out, in any means, interfering with the HTTP reply generated by the elements of the respectable web site (3).

Adversaries can then exfiltrate the collected information by making a particular HTTP request to the compromised IIS server: as soon as IIStealer detects a request made to a selected URI (/privateness.aspx) with an attacker password included within the X-IIS-Knowledge header (4), it embeds the collected information within the HTTP response for that request (5,6).

Determine 1. IIStealer: assortment and exfiltration mechanisms

With these capabilities, IIStealer is ready to steal bank card data despatched to e-commerce web sites that don’t use third-party cost gateways. Notice that SSL/TLS and encrypted communication channels don’t safe these transactions towards IIStealer, because the malware can entry all information dealt with by the server – which is the place the bank card data is processed in its unencrypted state.

The samples of this malware that we analyzed appear to be tailor-made for particular e-commerce web sites (with hardcoded checkout web page URIs). Based on our telemetry, focused had been a small variety of IIS servers within the USA, between September 2020 and January 2021, however that is seemingly affected by our restricted visibility into IIS servers – it’s nonetheless frequent for directors to not use any safety software program on these servers.

Technical evaluation

IIStealer is applied as a malicious, native IIS module – a C++ DLL dropped within the %windirpercentsystem32inetsrv folder on the compromised IIS server and configured within the %windirpercentsystem32inetsrvconfigApplicationHost.config file. In some instances, IIStealer is deployed beneath the identify dir.dll and, as seen in Determine 2, makes use of a solid VERSIONINFO useful resource to imitate a respectable Home windows IIS module referred to as dirlist.dll.

Figure 2. IIStealer’s VERSIONINFO resource (left) mimics legitimate dirlist.dll module (right)

Determine 2. IIStealer’s VERSIONINFO useful resource (left) mimics respectable dirlist.dll module (proper)

As a result of it’s an IIS module, IIStealer is loaded robotically by the IIS Employee Course of (w3wp.exe), which handles the requests despatched to the IIS internet server – that is how IIStealer achieves persistence, and the way it can have an effect on the processing of incoming requests.

We don’t have any details about how the malware is unfold, however we all know that administrative privileges are required to put in it as a local IIS module, which narrows down the candidates for the preliminary compromise. A configuration weak point or vulnerability in an internet utility, or the server itself, are seemingly culprits.

As for its technical traits, IIStealer implements a core class inherited from CHttpModule (module class) and overrides the CHttpModule::OnPostBeginRequest methodology with its malicious code. As with all native IIS modules, IIStealer exports a operate named RegisterModule (see Determine 3), the place it instantiates the module class and registers its strategies for server occasions – extra particularly, it registers for the RQ_BEGIN_REQUEST post-event notification that’s generated each time the server begins processing an inbound HTTP request. Consequently, the OnPostBeginRequest methodology is named with every new request, which permits IIStealer to have an effect on the request processing.

Figure 3. IIStealer’s RegisterModule entry point

Determine 3. IIStealer’s RegisterModule entry level

Within the OnPostBeginRequest handler, IIStealer filters incoming HTTP requests by request URIs. All POST requests made to /checkout/checkout.aspx or /checkout/Fee.aspx are logged – together with their full HTTP our bodies – right into a file named C:WindowsTempcache.txt. These requests are made by respectable guests of the compromised e-commerce web sites and might comprise delicate data equivalent to private particulars and bank card numbers.

The collected information will be exfiltrated through a particularly crafted HTTP request from the attacker. This request should have an X-IIS-Knowledge HTTP header set to a hardcoded, 32-byte alphanumeric password (that we now have chosen to not disclose), and have to be despatched to a URL path specified within the malware pattern:

  • /privateness.aspx
  • /checkout/Fee.aspx

As soon as the malicious module detects such a request, it makes use of the IHttpResponse::Clear methodology to delete any HTTP response ready by the IIS server, and copies the unencrypted contents of the log file into the HTTP response physique utilizing the IHttpResponse::WriteEntityChunks API operate, as seen in Determine 4.

Figure 4. IIStealer replaces the HTTP response body with its own data

Determine 4. IIStealer replaces the HTTP response physique with its personal information

This enables the operators of IIStealer to entry and exfiltrate the collected information by merely sending a particular request to the compromised IIS server – there is no such thing as a want for the malware to implement extra C&C channels, or embed any C&C server domains in its configuration.


IIStealer is a server-side menace that eavesdrops on the communications between a compromised e-commerce web site and its prospects, with the purpose of stealing delicate cost data – however after all, malicious IIS modules may goal credentials and different data. Regardless that SSL/TLS is important in securing the transmission of the information between the consumer and the server, it doesn’t stop this assault state of affairs as IIStealer is part of the server. This ought to be disturbing for all critical internet portals that wish to shield their guests’ information, together with authentication and cost data.

One of the best ways to harden an IIS server towards IIStealer and different threats is to:

  • Use devoted accounts with robust, distinctive passwords for the administration of the IIS server.
  • Usually patch your OS, and punctiliously take into account which companies are uncovered to the web, to cut back the danger of server exploitation.
  • Solely set up native IIS modules from trusted sources.
  • Think about using an internet utility firewall, and/or endpoint safety answer in your IIS server.
  • Usually test the configuration file %windirpercentsystem32inetsrvconfigApplicationHost.config, in addition to the %windirpercentsystem32inetsrv and %windirpercentSysWOW64inetsrv folders to confirm that every one the put in native modules are respectable (signed by a trusted supplier, or put in on function).

For internet builders: Even for those who don’t have management over the IIS server the place your internet service is hosted, you possibly can nonetheless take steps to cut back the influence on customers of your internet service within the case of a compromise, particularly:

  • Don’t ship the password itself to the server (not even over SSL/TLS); use a protocol equivalent to Safe Distant Password (SRP) to authenticate customers with out the necessity for the unencrypted password to be transmitted to the server, nor information that could possibly be used to reauthenticate. IIS infostealers are instance of why server-side hashing is just not adequate.
  • Keep away from unnecessarily sending delicate data from the net utility; use cost gateways.
  • If you happen to establish a profitable compromise: notify all events concerned in any safety breach to allow them to take fast motion.

For customers: from the customer’s perspective, it’s unattainable to know whether or not an IIS server is compromised, however the following tips will show you how to scale back the danger:

  • Watch out about the place you enter your bank card quantity. Think about using cost gateways by trusted third-party suppliers on e-commerce web sites whose status is unknown to you: with cost gateways, such web sites received’t deal with the delicate cost data.
  • Regulate your credit score assertion for small or uncommon funds: typically small quantities are processed to check whether or not the playing cards are legitimate.
  • If you happen to spot one thing uncommon, notify your financial institution instantly.

Extra technical particulars on the malware, Indicators of Compromise and YARA guidelines will be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: threatintel@eset.com.

Indicators of Compromise (IoCs)

ESET detection names




Filenames and paths


Community indicators

Focused URIs


HTTP header


MITRE ATT&CK methods

Notice: This desk was constructed utilizing model 9 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Useful resource Growth T1587.001 Develop Capabilities: Malware IIStealer is a custom-made malware household.
Execution T1569.002 System Providers: Service Execution IIS server (and by extension, IIStealer) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IIStealer is loaded by IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Protection Evasion T1036.005 Masquerading: Match Respectable Identify or Location IIStealer has been deployed beneath the identify dir.dll, in an try to mimic a respectable Microsoft IIS module referred to as dirlist.dll.
T1027 Obfuscated Recordsdata or Data IIStealer makes use of string stacking in an try to keep away from some string-based detection.
Credential Entry T1056 Enter Seize IIStealer intercepts community visitors between the IIS server and its purchasers to gather delicate data equivalent to bank card particulars.
Assortment T1119 Automated Assortment IIStealer robotically collects data from inbound HTTP requests, equivalent to bank card particulars.
T1074.001 Knowledge Staged: Native Knowledge Staging IIStealer makes use of a neighborhood file to stage collected data.
Command and Management T1071.001 Utility Layer Protocol: Net Protocols Adversaries ship HTTP requests to the compromised IIS server to manage IIStealer.
Exfiltration T1041 Exfiltration Over C2 Channel IIStealer makes use of its C&C channel to exfiltrate collected information: HTTP requests are despatched by the adversary to the compromised IIS server.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts