Microsoft’s Internet Information Service (IIS) web server has reported an uptick in malware native to the server leveraged to install backdoors or steal credentials. Microsoft stated that the malware is hard to detected, meaning that IT teams might have trouble identifying the malicious IIS extensions. The IIS extensions are historically not as popular as web shells as a payload for Exchange servers. However, Microsoft says they are useful to the attacker as they lie in the same directories as legitimate modules. In addition, they follow the same code structure as modules that have not been detected, making the infection harder to spot.
If attacked, key IIS-hosted applications on Outlook and Microsoft Exchange Server could offer an attacker complete access to a target’s email communications via the malicious backdoor installation. Last year, security company ESET detected 80 unique IIS modules belonging to 14 different malware families including info stealers, backdoors, injectors, and proxies. Microsoft reported that IIS extension attacks commonly occur after the attacker exploits a critical flaw and drops a web shell, eventually installing the backdoor to establish persistent access to the server.