Web server

New malware factories backdoor on Microsoft web server software

Security researchers have discovered malware who can install a backdoor on Microsoft‘s Web server Internet Information Services (IIS) software.

Dubbed IISpy, the malware uses various means to interfere with server logging and evade detection so that it can perform long-term espionage.

The researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool.

“We suspect that attackers first gain initial access to the IIS server through a vulnerability, then use Juicy Potato to gain administrative privileges that are required to install IISpy as a native IIS extension, ”the researchers said.

Investigations have uncovered the malware appearing on IIS servers in Canada, the United States and the Netherlands. Researchers suspect more servers have been compromised, but said that since it is not common for administrators to use security Software on servers, visibility on IIS servers is limited.

IISpy is configured as an IIS extension and can see all HTTP requests received by the compromised IIS server and shape the HTTP response with which the server will respond.

“IISpy uses this channel to implement its C&C communication, which allows it to function as a passive network implant,” the researchers said. Hackers initiate a connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker’s request, extracts and executes the built-in backdoor commands, and modifies the HTTP response to include the output of the command.

Associated resource

The five essentials of your endpoint security partner

Empower your MSP business to operate efficiently

Download now

The backdoor allows hackers to get system information, upload and download data, execute files or shell commands, etc. The malware ignores all HTTP requests from legitimate visitors sent to the compromised IIS server – benign server modules handle them.

IISpy is written using the IIS C ++ API and uses instances of the IHttpContext, IHttpRequest, and IHttpResponse interfaces to parse HTTP requests and manipulate HTTP responses.

An anti-logging feature also implements the OnLogRequest event handler – called just before the IIS server logs any processing. HTTP request. The backdoor uses this handler to modify request log entries from attackers to make them look like casual requests, researchers said.

The researchers said that organizations that manage sensitive data on their servers should watch out for this malware. In particular, organizations using the Outlook on the Web (OWA) service on their Exchange mail servers.

“OWA is implemented through IIS and is an interesting target for espionage. Either way, the best way to keep IISpy off your servers is to keep them up to date and carefully review which services are exposed to the Internet, in order to reduce the risk of server exploitation, ”they added.

Featured Resources

The ultimate law enforcement guide to going mobile

Best Practices for Implementing a Mobile Device Program

Free download

The Business Value of Red Hat OpenShift

Platform Cost Savings, ROI, and Red Hat OpenShift Challenges and Opportunities

Free download

Managing security and risk throughout the IT supply chain: a practical approach

Best Practices for IT Supply Chain Security

Free download

Impact of digital monitoring and dispatching services on edge computing and data centers

Seven Trends Redefining Remote Monitoring and Field Service Dispatch Service Requirements

Free download

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *