Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access

Risk actors are significantly abusing Internet Details Services (IIS) extensions to backdoor servers as a means of establishing a “long lasting persistence mechanism.”

Microsoft 365 Defender Research Team released a warning on the backdoors that are harder to detect due to residing in the same directories as legitimate modules used by target applications.

Malicious IIS Extensions

Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells as the first stage payload.

IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications. It gets deployed later provides stealthy and persistent access to the hacked server.

Then, malicious IIS modules allow threat actors to harvest credentials from the system’s memory, collect data from the network and infected devices, and deliver other malware payloads.

These IIS modules are not common for the format of backdoor malware. Especially when compared to typical web application threats like web shells. This means that threats can be easily missed during the standard file monitoring efforts, so it is important to mitigate risks.

“The backdoor experienced designed-in ability to execute Trade management functions, these kinds of as enumerating put in mailbox accounts and exporting mailboxes for exfiltration,” security researcher Hardik Suri stated.

Mitigation Steps

• use the most current security updates for server components.
• keep antivirus and other protections enabled.
• evaluate sensitive roles and groups, and limit accessibility by practicing the basic principle of minimum-privilege and preserving fantastic credential cleanliness.

Indicators of compromise (IOCs)

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!