Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Dons Disguise as Microsoft IIS Module

Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.

Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.

According to Trustwave, the malware is manually installed by attackers after they have compromised a web server. Known as ISN, the malware is used by attackers to target sensitive information in POST requests, and has data exfiltration capabilities in its arsenal, blogged Trustwave’s Josh Grunzweig.

“Encryption is circumvented as the malware extracts this data from IIS itself,” he blogged. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”

The installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

Advertisement. Scroll to continue reading.

“Once the module is successfully installed, it will monitor the URIs specified in the configuration file and dump any POST requests encountered to the ‘[filename].log’ file,” according to Grunzweig. “The module will also monitor the QUERY_STRING parameter, and can accept a number of commands. I’ve setup a simple IIS instance to demonstrate how this process takes place.”

“Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances,” Grunzwieg noted. “However, the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Register

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

Orchid Security has appointed a new Chief Product Officer and three advisors.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.