The second in our series on IIS threats dissects a malicious IIS extension that employs nifty tricks in an attempt to secure long-term espionage on the compromised servers
ESET researchers have discovered and analyzed a previously undocumented backdoor, implemented as an extension for Internet Information Services (IIS), Microsoft’s web server software. The backdoor, which we named IISpy, uses a variety of tricks to interfere with the server’s logging and to evade detection, in order to perform long-term espionage. IISpy is detected by ESET security solutions as Win{32,64}/BadIIS.
This blogpost is the second installment in our series where ESET researchers put IIS web server threats under the microscope – the other parts discuss IIS malware used for cybercrime and SEO fraud , respectively. For a comprehensive guide to how to detect, analyze and remove IIS malware, refer to our white paper Anatomy of native IIS malware, where IISpy is featured as one of the studied families (Group 7).
Anatomy of native IIS malware
According to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool. We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.
According to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the Netherlands – but this is likely not the full picture, as it is still common for administrators to not use any security software on servers, and thus our visibility into IIS servers is limited.
Because IISpy is configured as an IIS extension, it can see all the HTTP requests received by the compromised IIS server, and shape the HTTP response that the server will answer with. IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant. As shown in Figure 1, the operator (not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.
The following backdoor commands are supported:
IISpy ignores all other HTTP requests sent to the compromised IIS server by its legitimate visitors – of course, these are still handled by the benign server modules.
The control requests from IISpy’s operators have a predefined structure, with a specific (hidden) relationship between the Cookie and Host headers, and the URL. To identify such requests, IISpy first computes the MD5 hash of both the URL and Host header of an inbound HTTP request, and splits each MD5 into four double words:
Then, it verifies that the Cookie header contains a substring built from these values:
Figure 2 illustrates how this substring is assembled. Backdoor commands are embedded in the HTTP body, AES‑CBC encrypted and base64 encoded.
Note that this structure of control requests is unique to IISpy: all the other known IIS backdoors (that we have documented in our white paper Anatomy of native IIS malware ) are controlled by hardcoded passwords, specific URIs or custom HTTP headers. As opposed to those “secrets”, IISpy’s control requests are more difficult to fingerprint and find in logs, which is an attempt to keep its C&C communication unnoticed.
Another such trick is used for the other side of the communication: IISpy embeds its encrypted and encoded response within a fake PNG image, between the PNG file headers as a TEXT or BLOB chunk. To reply to a control HTTP request, IISpy replaces the original HTTP response body (sent by the IIS server) with the fake PNG file, and sets the Content-Type header to image/png to give more credibility to this charade.
Both sides of the C&C communication are AES-CBC encrypted and base64 encoded, using these parameters:
From the technical standpoint, IISpy is implemented as a native IIS module – a C++ DLL deployed in the %windir%\system32\inetsrv\ or the %windir%\SysWOW64\inetsrv folder on the compromised IIS server, under the name cache.dll or logging.dll.
IISpy is configured as an IIS extension in the %windir%\system32\inetsrv\config\ApplicationHost.config configuration file, and so it is loaded automatically by the IIS Worker Process (w3wp.exe), which handles all requests sent to the IIS web server. As far as execution and persistence goes, configuring IISpy as an IIS module itself checks all the boxes – all that’s left to implement inside the malicious module is the actual request processing (and as a bonus, a few anti-detection and anti-forensic tricks). We cover both in this section.
IISpy is written using the IIS C++ API , and uses instances of IHttpContext , IHttpRequest and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.
As required by all native IIS modules, it exports a function called RegisterModule, where it creates an instance of its core classes and registers their methods for server events using the IHttpModuleRegistrationInfo::SetRequestNotifications method, as shown in Figure 3.
IISpy’s core class is inherited from CHttpModule and, as seen in Figure 4, overrides three of its methods – event handlers for the server events:
IISpy registers these handlers with the highest priority (via the IHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since several IIS modules (malicious and regular) can be registered for the same event, this ensures that IISpy’s handler will be executed before any other handlers registered for the same event.
In its OnEndRequest handler, IISpy decrypts the HTTP body of an attacker’s request and extracts its parameters, which are organized as key-value pairs and listed in Table 1.
Table 1. IISpy attacker request parameters
If the credentials are present, IISpy uses them to log in as the user (via LogonUserW, ImpersonateLoggedOnUser) to execute the backdoor commands in the user’s context. The backdoor commands and arguments are also organized as nested key-value pairs, as listed in Table 2.
Table 2. IISpy backdoor commands and arguments
After executing the backdoor command, IISpy encrypts and encodes its return data and uses it to modify the HTTP response to the attacker’s request. The return data is also organized as key-value pairs, with the entries listed in Table 2, plus two additional entries based on the GetLastError result (or custom error messages):
Finally, IISpy implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests. As shown in Figure 5, these steps are taken:
With the log entries modified this way, the attackers attempt to further hide traces of their malicious activities, to make potential forensic analysis more difficult.
IISpy is a complex server-side backdoor misusing the extensibility of IIS web server software for its persistence, execution and C&C mechanisms. With its tricks to blend in with the regular network traffic, and to clear incriminating logs, it is designed for long term espionage on compromised IIS servers.
Organizations that handle sensitive data on their servers should be on the lookout, such as organizations that have the Outlook on the web (OWA) service enabled on their Exchange email servers – OWA is implemented via IIS, and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation.
Additional technical details on the malware, Indicators of Compromise and YARA rules can be found in our comprehensive white paper , and on GitHub . For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com .
Win32/BadIIS.F
Win64/BadIIS.U
22F8CA2EB3AF377E913B6D06B5A3618D294E4331
435E3795D934EA8C5C7F4BCFEF2BEEE0E3C76A54
CED7BC6E0F1A15465E61CFEC87AAEF98BD999E15
cache.dll
logging.dll
Note: This table was built using version 9 of the MITRE ATT&CK framework.
buy non vbv cc tractor supply cc