Malware, Black Hat

Getting to know IIS malware

IIS malware was first identified in 2013, but was most recently a component of the Halfnium Exchange campaign. (“Server room” by torkildr is licensed with CC BY-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/2.0/
IIS malware was first identified in 2013, but was most recently a component of the Halfnium Exchange campaign. ("Server room" by torkildr is licensed with CC BY-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/2.0/

IIS malware is not new. The first discovery of malware targeting Microsoft's Internet Information Services web server date back to 2013. The most explosive instance of IIS malware came this year, with the Hafnium Microsoft Exchange attacks. But, until now, there has not been a systematic study of IIS malware. Zuzana Hromcová, malware researcher with ESET, is looking to remedy that with her Wednesday Black Hat talk and corresponding white paper outlining the internals of an old but still emerging threat also being released Wednesday.

"If you're a reverse engineer, and you see this kind of malware, then you will have a hard time finding resources at the moment on how start to understand where to find that malicious functionality," said Hromcová, in an interview prior to the white paper's release.

The malware potential for IIS dates back to the days of Microsoft Vista, when Microsoft introduced the modular, extensible IIS 7.0. Making it easier to customize had a lot of advantages for customers, but it also created an extremely effective vector for hackers.

The white paper is 73 pages and covers a wide variety of ground. It contains technical details of how modules operate, case studies, and an analysis of 14 different malware families — 10 of which had not previously been reported.

Hromcová said IIS makes for a good target, because it offers the ability to observe traffic through the server and impact requests. Its use can be adapted to anything from reading email to use as a proxy to anonymize other attacks to stealing credit card information.

"It's actually very diverse. We have seen malware used for cybercrime, for cyber espionage, and for cyber fraud," she said.

Hromcová thinks IIS malware should be a concern not only for malware researchers but also for e-commerce websites and network defenders. The former, she said, might protect customers by using payment gateways, putting the onus of defense on a payment processor, or emphasizing HTTPS whenever possible. The latter could make sure the only people who can install modules have administrative rights and make sure all modules are properly signed.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Related

GitHub search exploited for malware distribution

Malware-laced GitHub repositories using popular names and topics are being advanced by threat actors through automated updates and fraudulent stars meant to manipulate the leading software developer platform's search rankings as part of a new open-source supply chain attack, The Hacker News reports.

Rhadamanthys infostealer deployed via AI-based PowerShell

Several organizations across Germany have been targeted by suspected initial access broker TA547, also known as Scully Spider, with attacks using a generative artificial intelligence-based PowerShell to deliver the Rhadamanthys information-stealing malware, reports BleepingComputer.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.