Summary

On 4th August, Zuzana Hromcoova ESET Malware Researcher stated that 14 different malware families – 10 of them newly reported are targeting Microsoft’s Internet Information Services (IIS) web servers.

They have identified five mode which the malware operates in, Backdoor, SEO fraud, Info stealer, Proxy, and Injector. Backdoor mode allows to remotely control the comprised system with IIS installed. SEO Fraud mode modifies the content delivered to search engines to manipulate algorithms. Info stealer mode allows to intercept regular traffic to steal sensitive information. Injector mode modifies HTTP responses sent to legitimate visitors to serve malicious content. Proxy mode converts the compromised server into part of command-and-control infrastructure for another malware family and misuse the relay communications between victims and the actual C2 server. Several of these found 14 malwares combine two or more of the said modes.

Target of the IIS malware is believed to be three Southeast Asian countries Government institutions, Cambodia telecommunications company, research institution in Vietnam and many private companies located in Canada, Vietnam, India, U.S, New Zealand, and South Korea. This is not the first time Microsoft web server software has been a target for threat actors. One was reported last month on the threat group Praying Mantis where they were targeting internet-facing Microsoft IIS web servers using exploits in ASP.NET applications to infiltrate high-profile public and private entities in the U.S.

Impact

• Process HTTP requests incoming to the compromised server and affect its response to these requests.
• Can steal sensitive data from the visitors or serve malicious content.

IOC

• Find the indicators of compromise here.

Remediate

• Use dedicated accounts with strong, unique passwords for administration-related purposes and 2FA.
• Keep your OS up to date.
• Install native IIS modules only from trusted sources.
• Consider using an endpoint security solution.
• Scan and block the indicators of compromise from your network.

References

• https://www.blackhat.com/us-21/ briefings/schedule/index.html #anatomy-of-native-iis-malware-23395
• https://i.blackhat.com/USA21/ Wednesday-Handouts/us-21-Anatomy -Of-Native-Iis-Malware-wp.pdf
• https://thehackernews.com/ 2021/08/several-malware -families-targeting-iis.html