[MART] - Daily Diary #320 - Malware Families Targeting IIS servers

CTAS-MAT ctas-mat at appgate.com
Thu Aug 5 22:18:54 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

08/05/2021 - Diary entry #320:

The Internet Information Services (IIS) is a flexible and manageable web server created by Microsoft for use along with the Windows NT servers. It enables developers to create additional modules, expanding its core functionality.

This week, the analysis of 14 malware families targeting IIS servers were presented at the Black Hat USA security conference. The modularity of this web server is very attractive for threat actors, specially Backdoors and InfoStealers.

The threats doesn't seem to have connections between them but they were all developed as malicious IIS modules. Their main goal is to process HTTP requests incoming to the compromised server and modify how the server responds to these requests.

There are five modes on which these threats operate. First, a Backdoor mode, to control the compromised computer remotely; An InfoStealer mode, to intercept the traffic and steal credentials; An Injector mode to serve malicious content; A Proxy mode to transform the compromised server into a part of a C2 infraestructure for another malware; And finally, a SEO fraud mode to modify the content served to search engine crawlers.

As a measure to prevent compromise of IIS servers, it's recommended to install only native IIS modules from trusted sources.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210805/90ca209a/attachment.htm>

More information about the MART mailing list