##### Anatomy of Native IIS Malware ###### Zuzana Hromcova | Malware Researcher, ESET ----- ##### Anatomy of Native IIS Malware ###### C++ Internet libraries Information Services ----- ##### How popular is IIS software? ----- # 4-7% ###### of websites use IIS server* ----- ###### *Netcraft: May 2021 Web Server Survey # 4-7% ###### of websites use IIS server* ----- ###### *W3Techs: Usage statistics of web servers # 4-7% ###### of websites use IIS server* ----- ###### Microsoft Exchange email servers with Outlook ## OWA ###### on the web ----- ###### Shodan result for public servers with OWA running Microsoft Exchange 2013 or 2016 (query for the IIS banner X-AspNet-Version and Outlook in the title): Microsoft Exchange email servers with ## OWA ----- ###### IIS backdoors spreading via ProxyLogon ###### Government institutions in three countries in Southeast Asia A major telecom company in Cambodia Private companies in Canada, USA, South ----- ###### Government Compromised SEO fraud espionage websites Crime schemes to Infiltrating government IIS malware serving manipulate SERP mailboxes malicious content & adware Targeting C&C traffic e-commerce routing Stealing credentials & Compromised IIS server credit card information as a malicious proxy ----- ###### Known malicious IIS modules: ISN IIS v7.0 2007 2013 ----- ###### Known malicious IIS modules: RGDoor ISN IIS v7.0 2007 2013 2018 ----- ###### Known malicious IIS modules: RGDoor ISN Native malware IIS v7.0 2007 2013 2018 2019 ----- ###### Known malicious IIS modules: Managed malware RGDoor ISN Native malware IIS v7.0 2007 2013 2018 2019 2020 ----- ###### Known malicious IIS modules: Managed malware RGDoor IIS-Raid ISN Native malware IIS v7.0 2007 2013 2018 2019 2020 2021 ----- ###### Known malicious IIS modules: Managed malware RGDoor IIS-Raid ISN Native malware IIS v7.0 2007 2013 2018 2019 2020 2021 ----- ##### Our research ----- ###### Our research Malicious native IIS modules (C++ libraries) 80+ unique samples from our telemetry and VirusTotal 14 malware families (10 never documented) Victim information from our telemetry and internet-wide scans Detailed information and analyses in the white paper ----- ###### Malicious native IIS modules ##### Architecture Reversing TTPs Defense ----- ###### Malicious native IIS modules ##### Architecture ----- ###### Internet Information Services (IIS) • Microsoft web server software • Modular architecture (since v7.0) • IIS services configured to run at each system start (World Wide Web Publishing Service, Windows Process Activation Service or Application Host Helper Services) • IIS Worker Process (w3wp.exe) • Handles inbound requests • Loads all IIS modules configured in ``` %windir%\system32\inetsrv\config\ApplicationHost.config ``` ----- ###### Request-processing pipeline ----- ###### Events Event handlers generate notifications handle notifications Class inheriting from CHttpModule: Event notification Post-event notification ----- ###### Events generate notifications ----- ###### Class inheriting from CHttpModule: Module classes implement event handlers Class inheriting from CGlobalModule: ----- ###### Class inheriting from CHttpModule: Module classes implement event handlers Class inheriting from CGlobalModule: ----- ###### Class inheriting from CHttpModule: Module classes implement event handlers Class inheriting from CGlobalModule: ----- ###### RegisterModule DLL export / module entrypoint 1. Creates instances of the core classes ----- ###### RegisterModule DLL export / module entrypoint 1. Creates instances of the core classes 2. Registers module for server events ----- ###### RegisterModule DLL export / module entrypoint 1. Creates instances of the core classes 2. Registers module for server events 3. Sets priority for the module ----- ###### Malicious native IIS modules ##### Reverse-engineering ----- ###### Import relevant interfaces (implemented in iiscore.dll): 1 ``` IHttpContext, IHttpModuleRegistrationInfo, IHttpRequest, IHttpResponse, IPreBeginRequestProvider… ``` ----- ###### See Group 9 in the paper Start with RegisterModule export 2 • Which handlers are implemented? • Initialization? ----- ###### See Group 7 in the paper Identify implemented handlers 3 malicious handler malicious handler malicious handler ----- ###### See Group 12 in the paper Identify implemented handlers 3 malicious handler benign handler benign handler ----- ###### See Group 12 in the paper Identify implemented handlers 3 malicious handler benign handler benign handler Refer to the Native-Code API Reference for the analysis 4 ----- ###### Malicious native IIS modules ##### Understanding the TTPs ----- ###### Backdoor commands 1 IIS backdoors • Get system information execute backdoor commands on IIS server • Upload/download files • Execute files or shell commands • Create reverse shell • Create/list/move/rename/delete files and folders • Map local drives to remote drives Special HTTP request with backdoor commands • Exfiltrate collected data 1 2 Attacker HTTP requests Command output • A custom HTTP header present • An embedded password in the URL, request body, headers (hardcoded password or password hash in the malware) • A specific format of URL or request body ----- ###### Attacker HTTP request example See Group 7 in the paper ----- ###### See Group 5 in the paper 2 IIS infostealers intercept traffic and steal data from legitimate visitors ----- #### DEMO ----- ###### See Group 12 in the paper 3 IIS injectors serve malicious content to legitimate visitors ----- ###### See Group 9 in the paper 4 IIS proxies relay traffic between a compromised host and the C&C server ----- ###### See Group 13 in the paper 5 SEO fraud deceive search engine crawlers • Manipulates content served to search engine crawlers to boost SEO for selected websites • Legitimate user requests are ignored by the malware • Techniques used: • Keyword stuffing • Injecting a list of backlinks • Redirecting the crawlers (turning the compromised website into a doorway page) • This is not Black Hat SEO • A third-party website benefits from the manipulation, not the one serving the manipulated content (this is likely sold as a service) • C&C communication to obtain configuration data • Other malicious modes present (e.g. backdoor, proxy) ----- |Malware family|Backdoor|Info stealer|Proxy|SEO fraud|Injector| |---|---|---|---|---|---| |Group 1|||||| |Group 2|||||| |Group 3|||||| |Group 4|||||| |Group 5|||||| |Group 6|||||| |Group 7|||||| |Group 8|||||| |Group 9|||||| |Group 10|||||| |Group 11|||||| |Group 12A|||||| |Group 12B|||||| |Group 12C|||||| |Group 13|||||| ###### Malware Info SEO Backdoor Proxy Injector family stealer fraud Group 1 Group 2 Group 3 Group 4 Group 5 Group 6 Group 7 Known IIS Group 8 malware families Group 9 See the paper for detailed analyses Group 10 Group 11 Group 12A Group 12B Group 12C Group 13 ----- ###### Malicious native IIS modules ##### Detection, mitigation and remediation ----- ###### Detecting compromised servers Inspect installed modules ----- ----- ###### Detecting compromised servers Inspect installed Check IIS logs Scan for known the default location is modules malware families ``` %SystemDrive%\inetpub via IIS Manager, AppCmd.exe \logs\LogFiles use IoCs and YARA rules listed or inspect the configuration file on our GitHub repository %windir%\system32\inetsrv\ config\ApplicationHost.config ``` ----- #### DEMO ----- ###### Mitigation (of compromise vectors) Prevent Prevent installing malicious (e.g., server exploitation trojanized) modules • keep your OS up-to-date • only install modules from trusted • limit services exposed to the internet sources • use strong passwords and 2FA for • consider using an endpoint dedicated administrative accounts security solution ----- ##### Conclusion ----- ###### Black Hat Sound Bytes Anatomy of Native IIS Malware ### 1 ###### IIS malware: cybercrime AND cyberespionage tool we documented 14 families (10 new); ### 2 ###### consider them in your threat model Get the full white paper: for a comprehensive guide on detecting analyzing and ### 3 ###### Use the IoCs and YARA rules for detection: ###### get them from the ESETresearch GitHub https://github.com/eset/malware ioc/tree/master/badiis ### 2 ----- ##### Thanks for watching! ###### www.welivesecurity.com Zuzana Hromcova @ESETresearch ESET Malware Researcher @zuzana_hromcova -----