Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.
According to Trustwave, the malware is manually installed by attackers after they have compromised a web server. Known as ISN, the malware is used by attackers to target sensitive information in POST requests, and has data exfiltration capabilities in its arsenal, blogged Trustwave’s Josh Grunzweig.
“Encryption is circumvented as the malware extracts this data from IIS itself,” he blogged. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”
The installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.
“Once the module is successfully installed, it will monitor the URIs specified in the configuration file and dump any POST requests encountered to the ‘[filename].log’ file,” according to Grunzweig. “The module will also monitor the QUERY_STRING parameter, and can accept a number of commands. I’ve setup a simple IIS instance to demonstrate how this process takes place.”
“Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances,” Grunzwieg noted. “However, the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
