"Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access"
Threat actors are increasingly using Internet Information Services (IIS) extensions to backdoor servers to establish a long-lasting persistence mechanism. According to a new warning from the Microsoft 365 Defender Research Team, IIS backdoors are also more difficult to detect because they typically reside in the same directories as legitimate modules used by target applications and have the same code structure as clean modules. This method of attack begins by weaponizing a critical vulnerability in the hosted application to gain initial access, then using this foothold to drop a script web shell as the first stage payload. This web shell is then used to install a rogue IIS module, which provides highly covert and persistent access to the server while also monitoring incoming and outgoing requests and running remote commands. Recently, security researchers revealed a campaign carried out by the Gelsemium group that discovered exploiting ProxyLogon Exchange Server flaws to launch a piece of IIS malware known as SessionManager. Between January and May 2022, Exchange servers were targeted with web shells via an exploit for the ProxyShell flaws, which eventually led to the deployment of a backdoor called "FinanceSvcModel.dll," but not before a period of reconnaissance. The backdoor included the ability to perform Exchange management tasks like enumerating installed mailbox accounts and exporting mailboxes for exfiltration. This article continues to discuss the growing popularity of malicious IIS extensions among threat actors for achieving persistent access.