Malicious Internet Information Services (IIS) extensions are increasingly becoming hackers’ favorite backdoor routes to vulnerable Exchange servers, according to Microsoft.
Unlike web shells, malware-laced IIS extensions have a lower detection rate, which makes it easier for perpetrators to slip by unnoticed.
Furthermore, they mimic legitimate modules closely by replicating their structure and using the same installation location as their counterparts. Due to their stealthy nature, detecting these extensions can be challenging, giving threat actors durable persistence on compromised systems.
“Typically, attackers first exploit a critical vulnerability in the hosted application for initial access before dropping a script web shell as the first stage payload,” according to a Microsoft 365 Defender Research Team blog post. “At a later point in time, the attackers then install an IIS backdoor to provide highly covert and persistent access to the server.”
The company says attackers still prefer using exclusively “script web shells as the first stage payload,” making malicious IIS extensions less likely to encounter. The extensions’ subterfuge abilities and a failure to understand how their legitimate analogs work could make it harder to accurately determine the infection source.
Besides their low detection rate and efficiency in achieving durable persistence on compromised systems, malware-ridden IIS extensions can perform various operations. After registering with the host application, perpetrators can use the backdoor to monitor incoming and outgoing requests, dump credentials, perform arbitrary code execution remotely, and exfiltrate data.
Microsoft released a series of security practices that system administrators can follow to boost their servers’ defenses:
net
, cmd
)tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024