Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft: Attackers Increasingly Using IIS Extensions as Server Backdoors

Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.

Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.

While not as commonly used in attacks against servers as web shells, IIS extensions provide a durable persistence mechanism, as they hide deep in target environments, Microsoft notes.

IIS extensions also have a relatively low detection rate compared to web shells, and are more difficult to detect because they closely resemble and behave like legitimate modules: they are deployed in the same directories and have the same code structure.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” Microsoft explains.

Attackers typically exploit a critical vulnerability in the hosted application for initial access, and then deploy a web shell. Later, they install an IIS backdoor for persistent access to the server.

After being registered with the target application, the backdoor would monitor incoming and outgoing requests, while also providing support for running remote commands and background credential dumping.

“We expect attackers to continue to increasingly leverage IIS backdoors,” Microsoft notes.

Between January and May 2022, threat actors targeting Exchange servers were seen using an IIS backdoor in coordination with other custom IIS modules, the tech giant says.

Following initial access, the attackers would perform operations such as reconnaissance, credential dumping, and establishing a remote access channel.

Next, they were seen installing a custom IIS backdoor that could perform Exchange management operations, including enumerating mailboxes and exporting them for exfiltration.

The attackers were using the command line connection tool plink.exe for remote access and the open source project PowerShDLL for remote command execution, and enabled WDigest registry settings to force the retaining of plaintext passwords in memory.

Over the past year, Microsoft has observed at least four types of IIS backdoors, including IIS module-based versions of web shells, open source projects, IIS handlers, and credential stealers – modules that monitor for sign-in patterns in network traffic and dump credentials in encrypted form.

To stay protected from IIS backdoors, organizations are advised to deploy software updates in a timely manner, to use security solutions, review highly privileged groups, apply the principle of least privilege, prioritize alerts, and regularly inspect the config file and bin folder.

Related: ‘IceApple’ Post-Exploitation Framework Created for Long-Running Operations

Related: Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes

Related: ‘ProxyToken’ Exchange Server Vulnerability Leads to Email Compromise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...