Microsoft 365 Defender Research Team warns now About a growing trend where attackers are using Internet Information Services (IIS) web server extensions to disguise the creation of backdoors in Windows-based servers.
According to Microsoft, it is mainly about IIS extensions that attackers install themselves, after first accessing the servers. The most common way to get access is to use a “script”web shell».
difficult to detect
Malicious IIS extensions are then used to persistently access the server through one or more backdoors. According to Microsoft, these IIS-based backdoors are difficult to detect because the software is mostly located in the same folders as the legitimate modules. They also follow the same code structure as the uninfected modules.
According to Microsoft, the actual backdoor logic is minimal and would not be considered malicious without a broader understanding of how legitimate IIS extensions work.
In the blog post The Microsoft 365 Defender research team reports that, among other things, it observed a campaign in the months from January to May this year. This campaign targeted Exchange servers. Here, backdoor modules were able to monitor incoming and outgoing requests, as well as run commands remotely and in the background recording login information for users logging into the web application.
Defense requires knowledge
Microsoft expects that attackers will increasingly exploit IIS backdoors. The company therefore believes that it is critical that those who have to defend systems against such attacks have knowledge and understanding of how these attacks work.
In the blog post, the company discusses in more detail what often characterizes the different parts of these attacks, including initial attacks using a web shell, executing commands, accessing login information, and information theft.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”