IISpy: Installs Backdoor on Microsoft’s Web Server Software

Cybersecurity investigators have detected malware that could deploy backdoor Internet Information Services (IIS) on Microsoft’s Web server software. Labeled IISpy, the malware employs several tools to interfere with the logging and identification of the server so that it can undertake long-term spying. 

The backdoor has also been operational since July 2020, at least, and is employed as a privileged escalation mechanism with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions). 

Threat actors first get initial access to the IIS server by exploiting a flaw and then employ Juicy Potato as a Native IIS extension to gain the administrative rights needed for IISpy to be installed. IISpy impacts a tiny percentage of the IIS platforms in Canada, the U.S., and Holland as per the telemetry. However, it might not be the whole picture, as administrators are still using no server security software and the IIS servers’ sight is limited. 

Since IISpy is designed to be an IIS extension, each HTTP request received by the affected IIS server can be viewed and the server would respond. IISpy utilizes its C&C-Communication channel to act as passive implantation in the network. 

Whilst submitting an HTTP request to the affected server, attackers start a connection. The backdoor detects the request from the attacker, retrieves and performs the built-in backdoor commands, and changes the HTTP response to include the output of the command. 

The backdoor provides attackers with system information, file or shell commands, and much more. The malware does not include all valid HTTP visitor requests made to the infected IIS server, which are handled by the harmless server modules. However, the OnLogRequest event handler, executed shortly before the IIS server logs a finished HTTP request, is implemented with an anti-logging function. The backdoor employs this handler to change the system logs for requests from the attackers, as per the researchers. 

Researchers have suggested firms dealing with sensitive information should look for such malware on their systems. Companies who use Outlook on their Exchange email servers on the web (OWA) service specifically should be aware. 

Further researchers added, “OWA is implemented via IIS and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation.”