VTA-00421 – Malicious IIS Extensions Used By Attackers To Deploy Covert Backdoors Into Exchange Servers
Attackers are increasingly using malicious extensions for the Internet Information Services (IIS) web server to backdoor unpatched Exchange servers. The malicious extensions have a lower detection rate and can be hidden deep within a compromised server. Usually a web shell attack will be deployed after the initial payload for the attack is deployed. Then, the IIS module is deployed on the compromised server so that it can be accessed more stealthily and persistently. Once they have been deployed, credentials are retrieved from the memory of the system. Then, data will be collected from infected devices and the victims’ network, the payloads also will be delivered at a higher rate. The types of IIS backdoors are Web shell-based variants, Open-source variants, IIS handlers and Credential stealers. The malware is able to perform execute commands and steal credentials remotely, after the IIS extensions is delivered onto Microsoft Exchange servers.
Execution, Lateral Movement, Persistence, Privilege Escalation
Command and Scripting Interpreter,Browser Extensions,Server Software Component,Boot or Logon Autostart Execution,Process Injection,Remote Services
Active Defense Tactics:
Active Defense Techniques:
Baseline, Isolation, Network Manipulation, Network Monitoring, Security Controls, Software Manipulation, System Activity Monitoring
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules.
2. Make sure to keep Exchange servers up to date.
3. Practice the principle of least-privilege and maintain good credential hygiene.
4. Avoid the use of domain-wide, admin-level service accounts.
5. Place access control list restrictions on virtual directories in IIS
6. Ensure that the configuration files and bin folders are in order.
7. It is important to keep anti-malware and security solutions enabled at all times
Contributed by: Mute