The second in our series on IIS threats dissects a malicious IIS extension that employs nifty tricks in an attempt to secure long-term espionage on the compromised servers
ESET researchers have discovered and analyzed a previously undocumented backdoor, implemented as an extension for Internet Information Services (IIS), Microsoft’s web server software. The backdoor, which we named IISpy, uses a variety of tricks to interfere with the server’s logging and to evade detection, in order to perform long-term espionage. IISpy is detected by ESET security solutions as Win{32,64}/BadIIS.
This blogpost is the second installment in our series where ESET researchers put IIS web server threats under the microscope – the other parts discuss IIS malware used for cybercrime and SEO fraud, respectively. For a comprehensive guide to how to detect, analyze and remove IIS malware, refer to our white paper Anatomy of native IIS malware, where IISpy is featured as one of the studied families (Group 7).
Attack overview
According to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool. We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.
According to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the Netherlands – but this is likely not the full picture, as it is still common for administrators to not use any security software on servers, and thus our visibility into IIS servers is limited.
Because IISpy is configured as an IIS extension, it can see all the HTTP requests received by the compromised IIS server, and shape the HTTP response that the server will answer with. IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant. As shown in Figure 1, the operator (not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.
The following backdoor commands are supported:
- Get system information
- Upload/download files
- Execute files or shell commands
- Create a reverse shell
- Create/list/move/rename/delete files and folders
- Create a mapping between a local and a remote drive
- Exfiltrate collected data
IISpy ignores all other HTTP requests sent to the compromised IIS server by its legitimate visitors – of course, these are still handled by the benign server modules.
Network communication
The control requests from IISpy’s operators have a predefined structure, with a specific (hidden) relationship between the Cookie and Host headers, and the URL. To identify such requests, IISpy first computes the MD5 hash of both the URL and Host header of an inbound HTTP request, and splits each MD5 into four double words:
- <h0><h1><h2><h3> = md5(Host Header value)
- <r0><r1><r2><r3> = md5(Raw URL value)
Then, it verifies that the Cookie header contains a substring built from these values:
- <r1><h2>=<h3><r2><r3><r0><h0><h1>
Figure 2 illustrates how this substring is assembled. Backdoor commands are embedded in the HTTP body, AES‑CBC encrypted and base64 encoded.
Note that this structure of control requests is unique to IISpy: all the other known IIS backdoors (that we have documented in our white paper Anatomy of native IIS malware) are controlled by hardcoded passwords, specific URIs or custom HTTP headers. As opposed to those “secrets”, IISpy’s control requests are more difficult to fingerprint and find in logs, which is an attempt to keep its C&C communication unnoticed.
Another such trick is used for the other side of the communication: IISpy embeds its encrypted and encoded response within a fake PNG image, between the PNG file headers as a TEXT or BLOB chunk. To reply to a control HTTP request, IISpy replaces the original HTTP response body (sent by the IIS server) with the fake PNG file, and sets the Content-Type header to image/png to give more credibility to this charade.
Both sides of the C&C communication are AES-CBC encrypted and base64 encoded, using these parameters:
- Encryption key: DA1F8BE19D9122F6499D72B90299CAB080E9D599C57E802CD667BF53CCC9EAB2
- IV: 668EDC2D7ED614BF8F69FF614957EF83EE
Technical analysis
From the technical standpoint, IISpy is implemented as a native IIS module – a C++ DLL deployed in the %windir%system32inetsrv or the %windir%SysWOW64inetsrv folder on the compromised IIS server, under the name cache.dll or logging.dll.
IISpy is configured as an IIS extension in the
Module design
IISpy is written using the IIS C++ API, and uses instances of IHttpContext, IHttpRequest and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.
As required by all native IIS modules, it exports a function called RegisterModule, where it creates an instance of its core classes and registers their methods for server events using the IHttpModuleRegistrationInfo::SetRequestNotifications method, as shown in Figure 3.
IISpy’s core class is inherited from CHttpModule and, as seen in Figure 4, overrides three of its methods – event handlers for the server events:
- OnBeginRequest is called every time the server starts processing a new HTTP request, and IISpy uses this handler to parse it in search of attacker requests
- OnEndRequest, called with the last step within the HTTP request-processing pipeline, implements IISpy’s backdoor interpreter
- OnLogRequest, called right before the IIS server logs a processed HTTP request, implements IISpy’s anti-logging feature
IISpy registers these handlers with the highest priority (via the IHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since several IIS modules (malicious and regular) can be registered for the same event, this ensures that IISpy’s handler will be executed before any other handlers registered for the same event.
Backdoor commands
In its OnEndRequest handler, IISpy decrypts the HTTP body of an attacker’s request and extracts its parameters, which are organized as key-value pairs and listed in Table 1.
Table 1. IISpy attacker request parameters
Key | Value |
---|---|
/mode | Command type |
/action | Command |
/path /binary /data … |
Command arguments (see Table 2 for full list) |
/credential/username | Local user username, used for impersonation |
/credential/password | Local user password, used for impersonation |
If the credentials are present, IISpy uses them to log in as the user (via LogonUserW, ImpersonateLoggedOnUser) to execute the backdoor commands in the user’s context. The backdoor commands and arguments are also organized as nested key-value pairs, as listed in Table 2.
Table 2. IISpy backdoor commands and arguments
Command type (/mode value) | Command (/action value) | Arguments (key names) | Command description | Returned data (map structure or description) |
---|---|---|---|---|
init | N/A | N/A | Collects basic system information: computer name and domain, username and domain, logical drives information. | /computer/domain /computer/name /user/domain /user/name /- /name /type |
file | list | /path | Collects information about the files in the specified folder. | /- /name /attr /size /create /access /write |
get | /path /binary |
Downloads the file with the specified name from the compromised IIS server. | The contents of the file, encrypted and embedded within a fake PNG image (a PNG header followed by non-image data). | |
create | /path /directory /data |
Creates a new file or directory in the specified path. Optional /data argument can hold the file content. | /- /file /attr /size /create /access /write |
|
upload | /path /data |
Uploads a file with the specified name to the compromised server. The /data entry contains base64-encoded file content. | /- /file /attr /size /create /access /write |
|
delete | /path /files /name /attr |
Deletes the list of files/directories in the given path. | /files /code /name |
|
move | /path /dest /copy /files /name /new |
Copies or renames files from the list, from the source directory to the destination directory. | /files /code /name |
|
time | /path /create /access /write |
Modifies file timestamps | N/A | |
drive | map | /letter /share /username /password |
Creates a mapping between a local and a remote drive, using the specified credentials for the network resource. | N/A |
remove | /letter | Removes an existing drive mapping | N/A | |
cmd | exec | /cmd | Executes the specified command, either under the context of the current user, or the user provided in arguments. Returns the command output. | /output |
After executing the backdoor command, IISpy encrypts and encodes its return data and uses it to modify the HTTP response to the attacker’s request. The return data is also organized as key-value pairs, with the entries listed in Table 2, plus two additional entries based on the GetLastError result (or custom error messages):
- /error/code
- /error/message
Anti-logging feature
Finally, IISpy implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests. As shown in Figure 5, these steps are taken:
- Rewrite the HTTP method in the request to GET
- Rewrite the URL from the request to /
- Delete these headers from the request: Cookie, Origin, Referer, Sec-Fetch-Mode, Sec-Fetch-Site, Content-Type, Content-Length, X-Forwarded-IP, X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto
With the log entries modified this way, the attackers attempt to further hide traces of their malicious activities, to make potential forensic analysis more difficult.
Conclusion
IISpy is a complex server-side backdoor misusing the extensibility of IIS web server software for its persistence, execution and C&C mechanisms. With its tricks to blend in with the regular network traffic, and to clear incriminating logs, it is designed for long term espionage on compromised IIS servers.
Organizations that handle sensitive data on their servers should be on the lookout, such as organizations that have the Outlook on the web (OWA) service enabled on their Exchange email servers – OWA is implemented via IIS, and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation.
Additional technical details on the malware, Indicators of Compromise and YARA rules can be found in our comprehensive white paper, and on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.
Indicators of Compromise (IoCs)
ESET detection names
Win32/BadIIS.F
Win64/BadIIS.U
SHA-1
22F8CA2EB3AF377E913B6D06B5A3618D294E4331
435E3795D934EA8C5C7F4BCFEF2BEEE0E3C76A54
CED7BC6E0F1A15465E61CFEC87AAEF98BD999E15
Filenames
cache.dll
logging.dll
MITRE ATT&CK techniques
Note: This table was built using version 9 of the MITRE ATT&CK framework.
Tactic | ID | Name | Description |
---|---|---|---|
Resource Development | T1587.001 | Develop Capabilities: Malware | IISpy is a custom-made malware family. |
T1588.002 | Obtain Capabilities: Tool | Operators of IISpy have used Juicy Potato , a local privilege escalation tool. | |
Initial Access | T1190 | Exploit Public-Facing Application | IISpy likely obtains its initial access to the IIS server via some vulnerability in the web application or on the server, before it uses the privilege escalation tool Juicy Potato to obtain the administrative privileges that are required to install a native IIS module. |
Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell | IISpy supports a backdoor command that uses the Windows command shell to execute shell commands on the compromised IIS server. |
T1569.002 | System Services: Service Execution | IIS server (and by extension, IISpy) persists as a Windows service. | |
Persistence | T1546 | Event Triggered Execution | IISpy is loaded by IIS Worker Process (w3wp.exe) when the IIS server receives an inbound HTTP request. |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Operators of IISpy have used a local privilege escalation tool Juicy Potato to elevate privileges. |
Defense Evasion | T1134.001 | Access Token Manipulation: Token Impersonation/Theft | IISpy has the ability to execute backdoor commands in another user’s context (via LogonUserW, ImpersonateLoggedOnUser). |
T1070 | Indicator Removal on Host | IISpy has the ability to sanitize logging of attacker requests on the IIS server. | |
T1070.006 | Indicator Removal on Host: Timestomp | IISpy supports a backdoor command to modify file timestamps. | |
Collection | T1005 | Data from Local System | IISpy supports a backdoor command to collect and exfiltrate files from the compromised IIS server. |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | IISpy is a passive network implant: Adversaries send HTTP requests to the compromised IIS server to control the backdoor. |
T1001 | Data Obfuscation | IISpy operators send commands with a specially constructed combination of URLs, Host headers and cookies. IISpy exfiltrates data in a fake PNG file (a PNG header followed by non-image data), in an attempt to make its C&C traffic look like regular network traffic. |
|
T1132.001 | Data Encoding: Standard Encoding | IISpy encodes the C&C communication with base64 encoding. | |
T1573.001 | Encrypted Channel: Symmetric Cryptography | IISpy uses AES-CBC to encrypt C&C communication. | |
T1105 | Ingress Tool Transfer | IISpy supports a backdoor command to upload additional tools to the compromised IIS server. | |
Exfiltration | T1041 | Exfiltration Over C2 Channel | IISpy supports a backdoor command to exfiltrate data and files from the compromised IIS server. |