Hackers Increasingly Use IIS Extensions as Exchange Backdoors, Microsoft Says

Malicious Internet Information Services (IIS) extensions are increasingly becoming hackers’ favorite backdoor routes to vulnerable Exchange servers, according to Microsoft.

Unlike web shells, malware-laced IIS extensions have a lower detection rate, which makes it easier for perpetrators to slip by unnoticed.

Furthermore, they mimic legitimate modules closely by replicating their structure and using the same installation location as their counterparts. Due to their stealthy nature, detecting these extensions can be challenging, giving threat actors durable persistence on compromised systems.

“Typically, attackers first exploit a critical vulnerability in the hosted application for initial access before dropping a script web shell as the first stage payload,” according to a Microsoft 365 Defender Research Team blog post. “At a later point in time, the attackers then install an IIS backdoor to provide highly covert and persistent access to the server.”

The company says attackers still prefer using exclusively “script web shells as the first stage payload,” making malicious IIS extensions less likely to encounter. The extensions’ subterfuge abilities and a failure to understand how their legitimate analogs work could make it harder to accurately determine the infection source.

Besides their low detection rate and efficiency in achieving durable persistence on compromised systems, malware-ridden IIS extensions can perform various operations. After registering with the host application, perpetrators can use the backdoor to monitor incoming and outgoing requests, dump credentials, perform arbitrary code execution remotely, and exfiltrate data.

Microsoft released a series of security practices that system administrators can follow to boost their servers’ defenses:

• Installing the latest security updates as soon as they're available
• Enabling firewall and multi-factor authentication (MFA)
• Enforcing attack surface reduction rules to block suspicious behaviors automatically
• Enabling tamper protection to prevent threat actors from disabling security services
• Regularly reviewing privileged and sensitive roles and groups
• Implementing strong password policies
• Regularly inspecting the list of installed modules and their configuration files
• Prioritizing alerts to sensitive processes (e.g., net, cmd)