New malware plants backdoor on Microsoft web server software

guest · Aug 9, 2021

New malware plants backdoor on Microsoft web server software
IIS target of hackers looking to enter victim’s infrastructure
August 9, 2021
https://www.itpro.co.uk/security/cy...nts-backdoor-on-microsoft-web-server-software

Security researchers have discovered malware that can install a backdoor on Microsoft’s web server software Internet Information Services (IIS).

Dubbed IISpy, the malware uses various means to interfere with the server’s logging and evade detection so it can perform long-term espionage.
Click to expand...

Researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool.

“We suspect the attackers first obtain initial access to the IIS server via some vulnerability and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension,” said researchers.
Investigations unearthed the malware popping up on IIS servers in Canada, the US, and the Netherlands.
Click to expand...

IISpy is configured as an IIS extension and can see all the HTTP requests received by the compromised IIS server and shape the HTTP response the server will answer with.

“IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant,” said researchers.
Click to expand...

ESET: IISpy: A complex server‑side backdoor with anti‑forensic features

IISpy is a complex server-side backdoor misusing the extensibility of IIS web server software for its persistence, execution and C&C mechanisms. With its tricks to blend in with the regular network traffic, and to clear incriminating logs, it is designed for long term espionage on compromised IIS servers.

Organizations that handle sensitive data on their servers should be on the lookout, such as organizations that have the Outlook on the web (OWA) service enabled on their Exchange email servers – OWA is implemented via IIS, and makes an interesting target for espionage.
Click to expand...

EASTER · Aug 9, 2021

Researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool.
“We suspect the attackers first obtain initial access to the IIS server via some vulnerability
Click to expand...

Boy oh boy. If it's a Microsoft, it's a wide open breachfest. Wonder why those bug bounty programs never turned up such as this and who knows how many others.

Log in or Sign up

New malware plants backdoor on Microsoft web server software

guest Guest

EASTER Registered Member

Log in or Sign up

New malware plants backdoor on Microsoft web server software

guest Guest

EASTER Registered Member

Useful Searches