Posted on August 5, 2021 at 6:25 PM
Researchers have discovered 10 recently discovered malware out of 14 malware families that attack Microsoft’s Internet Information Services (IIS) servers.
The researchers collected more than 80 malware samples and grouped them into 14 unique families. Most of the malware samples are still undergoing active development and were initially detected from 2018 to 2021. It means that some of the malware variants have duplicated themselves or upgraded their efficacy of attack since they were detected.
Although the 14 malware variants are likely not connected, they displayed a resemblance in their targets. They were all designed as malicious native IIS modules.
The malware families have five operational modules
The core target or purpose of most of the malware variants is to process HTTP requests going to the infiltrated server. It also has control over how the affected server responds to the requests.
According to the researchers, the malware variants have operational modules in one of five modules, which include SEO fraud mode, Proxy mode, injector mode, infostealer mode, and backdoor mode.
For the SEO fraud mode, the malware can change the contents sent to search engine crawlers to steal vital information such as payment details and login credentials.
The threat actors can also use the malware as a proxy mode by turning the vulnerable part of the C2 server for a malware family, relaying communication between the C2 server and victims.
Also, the malware can be used to modify HTTP responses delivered to legitimate visitors who are unaware of the presence of the malware.
However, the threat actors use another variant of malware as a backdoor mode in most cases, controlling the infiltrated computer remotely. The researcher has also seen the malware variant being used to intercept traffic between the legitimate site visitors and the compromised server.
Malicious actors are taking advantage of the extensible modules
Microsoft already released patches for ProxyLogon flaws on Microsoft Exchange Servers in March. The patches were for vulnerabilities in 2013, 2016, and 2019 Exchange Servers. However, it seemed that the threat actors were still interested in other models. But this time, multiple advanced persistent groups forayed into the party, as ESET discovered four compromised email servers in South America and Asia.
ESET also commented about the extensible module, pointing out the reason why it is now attractive to threat actors. The security firm said malicious actors are taking advantage of the extensible module to break into network traffic, confiscate sensitive data, and deliver malicious content.
Additionally, the threat actors are finding it easier to infiltrate the networks because most security software does not run on IIS servers. As a result, it is quite a disturbing situation for web portals looking to offer protection to their visitor’s data. The threat actors could easily steal users’ authentication and payment information from the web portals with the right motivation, the ESET researchers stated.
Microsoft Exchange Servers targeted in the past
This is not the first time APT hacking groups have shown seriousness in attacking Microsoft Exchange Servers. Last month a new kind of malware targeted Microsoft Internet Information Services (IIS) servers. Cybersecurity firm Sygnia released a report detailing the nature of the malware and how they are used to infect Windows servers. According to the firm, the hacking syndicate responsible for the malware is known as “TG1021” or ‘Praying Mantis.”
Sygnia warned Windows IIS users about the malware and asked them to update their .NET deserialization bugs and look out for any doubtful activities on their systems.
The Israeli-based security researchers also noted that the threat actors have started launching advanced memory-resident attacks, and suspect government to be behind the threat actors.
The incidence was initially discovered by the Australian Cyber Security Center in June 2020. When it was first discovered the agency called it a “Copy Past Compromise” utilized by a hacking syndicate in Asia.
Microsoft developed the IIS, a web server that can be extensible. It enables developers to use the modular architecture and expands its main functionality using additional IIS modules.