New malware plants backdoor on Microsoft web server software

Security researchers have discovered malware that can install a backdoor on Microsoft’s web server software Internet Information Services (IIS).

Dubbed IISpy, the malware uses various means to interfere with the server’s logging and evade detection so it can perform long-term espionage.

Researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool.

“We suspect the attackers first obtain initial access to the IIS server via some vulnerability and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension,” said researchers.

Investigations unearthed the malware popping up on IIS servers in Canada, the US, and the Netherlands. Researchers suspect more servers have been compromised but said that since it is not common for administrators to use security software on servers, visibility into IIS servers is limited.

IISpy is configured as an IIS extension and can see all the HTTP requests received by the compromised IIS server and shape the HTTP response the server will answer with.

“IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant,” said researchers. Hackers start a connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker's request, extracts, and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.

The backdoor enables hackers to get system information, upload and download data, execute files or shell commands, and more. The malware ignores all legitimate visitors HTTP requests sent to the compromised IIS server — the benign server modules handle these.

IISpy is written using the IIS C++ API and uses instances of IHttpContext, IHttpRequest, and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.

An anti-logging feature also implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests, according to researchers.

Researchers said organizations that handle sensitive data on their servers should watch for this malware. In particular, organizations using Outlook on the web (OWA) service on their Exchange email servers.

“OWA is implemented via IIS and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation,” they added.