Internet Information Services server software has been used to intercept HTTP requests, rig SEO rankings and control compromised servers remotely.

A set of 10 previously undocumented malware families, exploited as malicious extensions for Microsoft’s Internet Information Services (IIS) web server software, have been discovered by a cybersecurity research team. 

The extensions target both government mailboxes and e-commerce credit card transactions, as well as aid in malware distribution. This diverse class of threats operates by eavesdropping on and tampering with the IIS server’s communications.

According to ESET telemetry and the results of additional internet-wide scans that its researchers performed to detect the presence of these backdoors. At least five IIS backdoors have been spreading through server exploitation of Microsoft Exchange email servers in 2021.

Among the victims are governments in South-east Asia and dozens of companies belonging to various industries located mostly in Canada, Vietnam and India, but also in the US, New Zealand, South Korea and other countries.

Five modes of IIS malware

IIS malware is a diverse class of threats used for cybercrime, cyberespionage and search engine optimization fraud, but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and to affect how the server responds to (some of) these requests. 

ESET has identified five main modes in which IIS malware operates:

  1. IIS backdoors allow their operators to remotely control the compromised computer.
  2. IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors and steal information such as login credentials and payment information.
  3. IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content.
  4. IIS proxies turn the compromised server into an unwitting part of the command and control infrastructure for another malware family.
  5. SEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackers.

According to one of the firm’s researchers, Zuzana Hromcová: “IIS web server software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers. It is still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organizations that use Outlook on the web should also pay attention, as it depends on IIS and could be an interesting target for espionage.”

Organizations can defend against IIS malware attacks through basic cyber hygiene such as using strong and unique passwords, multifactor authentication for the administration of IIS servers; keeping the operating system up to date; using a web application firewall and endpoint security solution for the server; and regularly checking the IIS server configuration to verify that all installed extensions are legitimate.