Threat actors are abusing the Internet Information Service increasingly on a concerning level. They are abusing extensions to backdoor servers as an attempt to establish a “durable persistence mechanism”.
A new warning from the Microsoft Defender Research Team stated that IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules. Target applications use these modules and they follow the same code structure as clean modules.
The attack chains who uses this approach starts with weaponizing a critical vulnerability in the hosted application for initial access. After gaining this foothold, they drop a script wen shell as the first stage payload.
Using this web shell, the attackers then installs a rogue IIS module to provide highly covet and persistent access to the server. Additionally it also monitors incoming and outgoing requests as well as running remote commands.
Researchers from Kaspersky, disclosed earlier this month about a campaign undertaken by the Gelsemium group. This group was founded taking advantage of the ProxyLogon Exchange Server flaws to launch a piece of IIS malware called SessionManager.
The tech giant also observed attacks in the period of January and May 2022 earlier. Attackers targeted exchange servers by means of an exploit for the ProxyShell flaws. This ultimately led to the deployment of a backdoor called “FinanceSycModel.dll”.
