Malicious IIS extensions gaining increasing interest of Cyber criminals

Threat actors are abusing the Internet Information Service increasingly on a concerning level. They are abusing extensions to backdoor servers as an attempt to establish a “durable persistence mechanism”. 

A new warning from the Microsoft Defender Research Team stated that IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules. Target applications use these modules and they follow the same code structure as clean modules. 

The attack chains who uses this approach starts with weaponizing a critical vulnerability in the hosted application for initial access. After gaining this foothold, they drop a script wen shell as the first stage payload. 

Using this web shell, the attackers then installs a rogue IIS module to provide highly covet and persistent access to the server. Additionally it also monitors incoming and outgoing requests as well as running remote commands. 

Researchers from Kaspersky, disclosed earlier this month about a campaign undertaken by the Gelsemium group. This group was founded taking advantage of the ProxyLogon Exchange Server flaws to launch a piece of IIS malware called SessionManager. 

The tech giant also observed attacks in the period of January and May 2022 earlier. Attackers targeted exchange servers by means of an exploit for the ProxyShell flaws. This ultimately led to the deployment of a backdoor called “FinanceSycModel.dll”. 




Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More