Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft: Attackers Increasingly Using IIS Extensions as Server Backdoors

Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.

Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.

While not as commonly used in attacks against servers as web shells, IIS extensions provide a durable persistence mechanism, as they hide deep in target environments, Microsoft notes.

IIS extensions also have a relatively low detection rate compared to web shells, and are more difficult to detect because they closely resemble and behave like legitimate modules: they are deployed in the same directories and have the same code structure.

“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” Microsoft explains.

Attackers typically exploit a critical vulnerability in the hosted application for initial access, and then deploy a web shell. Later, they install an IIS backdoor for persistent access to the server.

After being registered with the target application, the backdoor would monitor incoming and outgoing requests, while also providing support for running remote commands and background credential dumping.

“We expect attackers to continue to increasingly leverage IIS backdoors,” Microsoft notes.

Between January and May 2022, threat actors targeting Exchange servers were seen using an IIS backdoor in coordination with other custom IIS modules, the tech giant says.

Following initial access, the attackers would perform operations such as reconnaissance, credential dumping, and establishing a remote access channel.

Next, they were seen installing a custom IIS backdoor that could perform Exchange management operations, including enumerating mailboxes and exporting them for exfiltration.

The attackers were using the command line connection tool plink.exe for remote access and the open source project PowerShDLL for remote command execution, and enabled WDigest registry settings to force the retaining of plaintext passwords in memory.

Over the past year, Microsoft has observed at least four types of IIS backdoors, including IIS module-based versions of web shells, open source projects, IIS handlers, and credential stealers – modules that monitor for sign-in patterns in network traffic and dump credentials in encrypted form.

To stay protected from IIS backdoors, organizations are advised to deploy software updates in a timely manner, to use security solutions, review highly privileged groups, apply the principle of least privilege, prioritize alerts, and regularly inspect the config file and bin folder.

Related: ‘IceApple’ Post-Exploitation Framework Created for Long-Running Operations

Related: Zero-Days Under Attack: Microsoft Plugs Exchange Server, Excel Holes

Related: ‘ProxyToken’ Exchange Server Vulnerability Leads to Email Compromise

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.