New IIS web server threats eavesdropping on governments and e-commerce sector

ESET revealed new IIS web server threats are eavesdropping on governments and targeting e-commerce transactions. The researchers found ten previously unknown malware families built as malicious extensions for Microsoft‘s Internet Information Services (IIS) webserver software. This varied class of attacks operates by eavesdropping on and manipulating the server’s communications, targeting government mailboxes and e-commerce credit card transactions, and assisting in malware distribution. According to ESET telemetry and the findings of subsequent internet-wide scans conducted by ESET researchers to detect the presence of these backdoors, at least five IIS backdoors have been propagating through server exploitation of Microsoft Exchange email servers in 2021.

Governments in Southeast Asia and hundreds of firms from various industries, notably in Canada, Vietnam, India, and the United States, New Zealand, South Korea, and other countries, are among the victims.

ESET Research is releasing a white paper titled “Anatomy of native IIS malware”, as well as a series of blog postings about the three most significant threats: IIStealer, IISpy, and IISerpent. Starting today and continuing until August 11, 2021, these will be published on WeLiveSecurity. ESET’s IIS malware research was initially presented at Black Hat USA 2021 and will be shared with the community at the Virus Bulletin 2021 conference on October 8, 2021.

IIS malware is a broad category of threats used in cybercrime, cyberespionage, and SEO fraud. Its main goal is to intercept HTTP requests sent to a compromised IIS server and alter how the server replies to (some of) them. “Internet Information Services web servers have been targeted by various malicious actors, for cybercrime and cyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers,” says ESET researcher Zuzana Hromcová, author of the paper.

ESET has identified five main modes in which IIS malware operates:

• IIS backdoors allow their operators to remotely control the compromised computer with IIS installed.
• IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors and steal information such as login credentials and payment information
• IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content
• IIS proxies turn the compromised server into an unwitting part of another malware family’s command and control infrastructure.
• SEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackers.

“It is still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organizations that use Outlook on the web should also pay attention, as it depends on IIS and could be an interesting target for espionage,” explains Hromcová.

ESET Research has a few suggestions to assist you in defending against IIS malware assaults. IIS server administration includes using unique, strong passwords and multifactor authentication; keeping the operating system up to date; using a web application firewall and endpoint security solution for the server; and regularly checking the IIS server configuration to ensure that all installed extensions are legitimate.