Microsoft’s Internet Information Service (IIS) web server has reported an increase in server-native malware used to install backdoors or steal credentials. Microsoft said the malware is difficult to detect, which means IT teams could struggle to identify malicious IIS extensions. IIS extensions have historically not been as popular as web shells as a payload for Exchange servers. However, Microsoft claims that they are useful to the attacker because they are in the same directories as the legitimate modules. Moreover, they follow the same code structure as undetected modules, which makes the infection more difficult to detect.
In the event of an attack, major IIS-hosted applications on Outlook and Microsoft Exchange Server could offer an attacker full access to a target’s email communications through the installation of the malicious backdoor. Last year, security firm ESET detected 80 unique IIS modules belonging to 14 different malware families, including infostealers, backdoors, droppers and proxies. Microsoft reported that IIS extension attacks typically occur after the attacker exploits a critical flaw and drops a web shell, ultimately installing the backdoor to establish persistent access to the server.
Read more: Microsoft warns of stealth backdoors used to target Exchange servers