Malicious IIS Extensions Used By Attackers To Deploy Covert Backdoors Into Exchange Servers

VTA-00421 – Malicious IIS Extensions Used By Attackers To Deploy Covert Backdoors Into Exchange Servers

Attackers are increasingly using malicious extensions for the Internet Information Services (IIS) web server to backdoor unpatched Exchange servers. The malicious extensions have a lower detection rate and can be hidden deep within a compromised server. Usually a web shell attack will be deployed after the initial payload for the attack is deployed. Then, the IIS module is deployed on the compromised server so that it can be accessed more stealthily and persistently. Once they have been deployed, credentials are retrieved from the memory of the system. Then, data will be collected from infected devices and the victims’ network, the payloads also will be delivered at a higher rate. The types of IIS backdoors are Web shell-based variants, Open-source variants, IIS handlers and Credential stealers. The malware is able to perform execute commands and steal credentials remotely, after the IIS extensions is delivered onto Microsoft Exchange servers.


Attack Surfaces:
Web Application

Execution, Lateral Movement, Persistence, Privilege Escalation

Command and Scripting Interpreter,Browser Extensions,Server Software Component,Boot or Logon Autostart Execution,Process Injection,Remote Services

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Isolation, Network Manipulation, Network Monitoring, Security Controls, Software Manipulation, System Activity Monitoring

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules. 
2. Make sure to keep Exchange servers up to date.
3. Practice the principle of least-privilege and maintain good credential hygiene. 
4. Avoid the use of domain-wide, admin-level service accounts. 
5. Place access control list restrictions on virtual directories in IIS 
6. Ensure that the configuration files and bin folders are in order. 
7. It is important to keep anti-malware and security solutions enabled at all times

Contributed by:  Mute

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>