Internet Information Systems (IIS) extensions to backdoor servers are increasingly being abused by threat actors as a means of establishing a “durable persistence mechanism.” This comes from a statement by the Microsoft 365 Defender Research Team who said, “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.” This approach begins with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. The web shell then becomes the conduit for installing a rogue IIS module. It also is responsible for running remote commands and monitoring incoming and outgoing requests.
There have been several recent attacks involving IIS. Earlier this month, Kaspersky researchers reported a campaign undertaken by the Galsemium group where they launched a piece of IIS malware called Session Manager. In a separate set of attacks, Microsoft Exchange servers were targeted with web shells by means of an exploit for the ProxyShell flaws, which led to the deployment of a backdoor with a built-in capability to perform Exchange management operations. To mitigate these attacks, it is recommended to apply the latest updates for server components, keep antivirus enabled, review sensitive roles and groups, restrict access by practicing the principle of least-privilege, and maintaining good credential hygiene.