Malicious IIS extensions are used to improve persistence of backdoors

IIS extensions used to backdoor unpatched Exchange servers

Threat actors use malicious IIS modules to evade malware detection

Threat actors rely on the Internet Information Services extensions to access servers because these extensions help to establish a durable persistence mechanism. Microsoft 365 Defender Research Team released a warning on the backdoors that are harder to detect due to residing in the same directories as legitimate modules used by target applications.^[1]

They also use the same code structure as clean modules, and attach chains can approach commerce by weaponizing critical flaws in the hosted application. It is done for the purpose of getting access, using a foothold to drop a script web shell as the first stage of the attack.^[2]

These backdoors using IIS extensions are hidden deep inside the compromised servers and often very hard to detect. Threats get installed in the exact location and the same structure as the legitimate modules, so attackers have a durable persistence mechanism and can monitor incoming and outgoing requests and run remote commands.^[3]

Persistent server compromise

Malicious actors are not using these malicious extensions commonly. These extensions are not deployed when the server is already compromised using the exploits for particular unpatched security bugs.^[4] That happens when the web shell is deployed as the first payload in the attack. The IIS module that gets deployed later provides stealthy and persistent access to the hacked server.

In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection

Then, malicious IIS modules allow threat actors to harvest credentials from the system's memory, collect data from the network and infected devices, and deliver other malware payloads. Microsoft had already reported these custom IIS backdoors when threat actors exploited vulnerabilities in ZOHO ManagerEnine ADSelfService and SolarWinds Orion.^[5]

Campaigns on exchange servers

There are more recent campaigns that have targeted the Microsoft Exchange servers where attackers deployed malicious IIS extensions to gain access to email boxes, run remote commands and steal credentials or even confidential data. The backdoor can perform Exchange management operations like enumerating installed mailbox accounts and exporting mailboxes for exfiltration. Servers were targeted with web shells by exploiting the ProxyShell flaws that led to the deployment of a backdoor.

Various researchers have reported that malware got delivered as IIS extensions onto Microsoft Exchange servers to execute particular commands and remotely gather credentials. These malicious IIS web server modules have been used to target government organizations and public transportation companies in Southeast Asia and Europe at the end of last year.

These IIS modules are not common for the format of backdoor malware. Especially when compared to typical web application threats like web shells. This means that threats can be easily missed during the standard file monitoring efforts, so it is important to mitigate risks.

It is possible to defend against these attacks when IIS modules get used. Microsoft advises customers to keep their Exchange servers up to date and keep proper antivirus tools and security solutions enabled. It is important to restrict access to IIS virtual directories, prioritize alerts, inspect configuration files and bin folders, and review sensitive roles and groups.