[BreachExchange] New malware plants backdoor on Microsoft web server software

[Sophia Kingsbury]

https://www.itpro.co.uk/security/cyber-security/360521/new-malware-plants-backdoor-on-microsoft-web-server-software

Security researchers have discovered malware that can install a backdoor on
Microsoft’s web server software Internet Information Services (IIS).

Dubbed IISpy, the malware uses various means to interfere with the server’s
logging and evade detection so it can perform long-term espionage.

Researchers said the backdoor has been active since at least July 2020 and
has been used with Juicy Potato, a privilege escalation tool.

“We suspect the attackers first obtain initial access to the IIS server via
some vulnerability and then use Juicy Potato to obtain the administrative
privileges that are required to install IISpy as a native IIS extension,”
said researchers.

Investigations unearthed the malware popping up on IIS servers in Canada,
the US, and the Netherlands. Researchers suspect more servers have been
compromised but said that since it is not common for administrators to use
security software on servers, visibility into IIS servers is limited.

IISpy is configured as an IIS extension and can see all the HTTP requests
received by the compromised IIS server and shape the HTTP response the
server will answer with.

“IISpy uses this channel to implement its C&C communication, which allows
it to operate as a passive network implant,” said researchers. Hackers
start a connection by sending a special HTTP request to the compromised
server. The backdoor recognizes the attacker's request, extracts, and
executes the embedded backdoor commands, and modifies the HTTP response to
include the command output.

The backdoor enables hackers to get system information, upload and download
data, execute files or shell commands, and more. The malware ignores all
legitimate visitors HTTP requests sent to the compromised IIS server — the
benign server modules handle these.

IISpy is written using the IIS C++ API and uses instances of IHttpContext,
IHttpRequest, and IHttpResponse interfaces to parse HTTP requests and
manipulate the HTTP responses.

An anti-logging feature also implements the OnLogRequest event handler –
called right before the IIS server logs a processed HTTP request. The
backdoor uses this handler to modify the log entries for requests coming
from the attackers to make them look like casual requests, according to
researchers.

Researchers said organizations that handle sensitive data on their servers
should watch for this malware. In particular, organizations using Outlook
on the web (OWA) service on their Exchange email servers.

“OWA is implemented via IIS and makes an interesting target for espionage.
In any case, the best way to keep IISpy out of your servers is to keep them
up to date, and carefully consider which services are exposed to the
internet, to reduce the risk of server exploitation,” they added.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210809/8fbaf03b/attachment.html>