According to Microsoft, the malware is hard to detect but can be found and removed: “Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells as the first stage payload. This leads to a relatively lower detection rate for malicious IIS extensions compared to script web shells. IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.” The issue was first spotted by security research firm ESET. In 2021, the company found 80 unique malicious IIS modules for a group of 14 malware types. While these were previously known malware families, they were successfully being used to target Microsoft Internet Information Services. Specifically, threat actors were creating IIS backdoors and installing injectors, info stealers, and proxies. From March to June 2021, ESET tracked IIS backdoors that were using the Exchange ProxyLogon pre-authentication to remove code execution vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).
Extension Attacks
Microsoft points out that IIS extension attacks usually begin with the attacker targeting a critical flaw in hosted applications and exploiting it. They will then add the web shell before next adding the backdoor. “Once registered with the target application, the backdoor can monitor incoming and outgoing requests and perform additional tasks, such as running remote commands or dumping credentials in the background as the user authenticates to the web application,” Microsoft explains. Tip of the day: Is your system drive constantly full and you need to free up space regularly? Try Windows Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.