Microsoft has warned of an increase in malicious Internet Information Services (IIS) extensions used as backdoors on Exchange servers.
While not as commonly used in attacks against servers as web shells, IIS extensions provide a durable persistence mechanism, as they hide deep in target environments, Microsoft notes.
IIS extensions also have a relatively low detection rate compared to web shells, and are more difficult to detect because they closely resemble and behave like legitimate modules: they are deployed in the same directories and have the same code structure.
“In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection,” Microsoft explains.
Attackers typically exploit a critical vulnerability in the hosted application for initial access, and then deploy a web shell. Later, they install an IIS backdoor for persistent access to the server.
After being registered with the target application, the backdoor would monitor incoming and outgoing requests, while also providing support for running remote commands and background credential dumping.
“We expect attackers to continue to increasingly leverage IIS backdoors,” Microsoft notes.
Between January and May 2022, threat actors targeting Exchange servers were seen using an IIS backdoor in coordination with other custom IIS modules, the tech giant says.
Following initial access, the attackers would perform operations such as reconnaissance, credential dumping, and establishing a remote access channel.
Next, they were seen installing a custom IIS backdoor that could perform Exchange management operations, including enumerating mailboxes and exporting them for exfiltration.
The attackers were using the command line connection tool plink.exe for remote access and the open source project PowerShDLL for remote command execution, and enabled WDigest registry settings to force the retaining of plaintext passwords in memory.
Over the past year, Microsoft has observed at least four types of IIS backdoors, including IIS module-based versions of web shells, open source projects, IIS handlers, and credential stealers – modules that monitor for sign-in patterns in network traffic and dump credentials in encrypted form.
To stay protected from IIS backdoors, organizations are advised to deploy software updates in a timely manner, to use security solutions, review highly privileged groups, apply the principle of least privilege, prioritize alerts, and regularly inspect the config file and bin folder.