According to a new warning issued by the Microsoft 365 Defender Research Team, IIS backdoors are much more difficult to detect as compared to other backdoors because they commonly reside in the same directories as other legitimate modules.
Furthermore, these backdoors use the same code structures as clean modules used by target applications. Attack chains take advantage and weaponize this vulnerability. They commence their attack by using the vulnerability for initial access. Using the foothold, they drop a script web shell as the first stage payload.
Then the web shell becomes a channel through which it installs a rogue IIS module. This step helps provide covert and persistent access to the system. The attackers can use this to monitor incoming and outgoing requests. Furthermore, they can also run remote commands.
Earlier this month, it was disclosed by Kaspersky researchers that the Gelsemium group undertook a campaign that took advantage of the flaws in the ProxyLogon Exchange Server and managed to launch SessionManager, a piece of IIS malware.
There was another set of attacks in January 2022 and May 2022, where the tech giants noticed that the Exchange servers were being targeted with web shells. This occurred through an exploit for the ProxyShell flaws.
These flaws led to the deployment of the FinanceSvcModel.dll, a backdoor. However, it happened after a period of surveillance.
As explained by a security researcher, Hardik Suri, this backdoor had built-in capabilities, which allowed it to perform exchange management operations. These included exporting mailboxes for exfiltration and enumerating installed mailbox accounts.
To help mitigate such attacks, it is recommended that you apply the latest security updates. Furthermore, you should also ensure that your anti-virus and other protections are enabled.
Read Also
- The Racoon Stealer Malware is Back – Organizations Need Protection Once More
- French Android and iPhone Users Are Being Targetted by Roaming Mantis Financial Hackers
- Google Restores the Android App Permission Section in the Play Store
- Candiru Spyware Targeting Journalists by Exploiting Google Chrome Zero-Day
- Vehicles Could Be Disrupted Remotely If GPS Tracker Remains Unpatched
- Russian Hackers Distributing Android Malware Amidst the Ukraine Crisis
- Joker, Facestealer, and Coper Malware Rampant in New Play Store Apps
- Samsung May Add a New Color to Their Samsung Galaxy Z Flip 4