Microsoft warns: IIS extensions can hide server backdoors

Microsoft warns: IIS extensions can hide server backdoors

Microsoft 365 Defender Research Team warns now About a growing trend where attackers are using Internet Information Services (IIS) web server extensions to disguise the creation of backdoors in Windows-based servers.

According to Microsoft, it is mainly about IIS extensions that attackers install themselves, after first accessing the servers. The most common way to get access is to use a “script”web shellยป.



difficult to detect

Malicious IIS extensions are then used to persistently access the server through one or more backdoors. According to Microsoft, these IIS-based backdoors are difficult to detect because the software is mostly located in the same folders as the legitimate modules. They also follow the same code structure as the uninfected modules.

According to Microsoft, the actual backdoor logic is minimal and would not be considered malicious without a broader understanding of how legitimate IIS extensions work.


What are legitimate IIS modules and which are malicious? Because it’s unlikely that malware would have names like “backdoor”. Screenshot: Microsoft

In the blog post The Microsoft 365 Defender research team reports that, among other things, it observed a campaign in the months from January to May this year. This campaign targeted Exchange servers. Here, backdoor modules were able to monitor incoming and outgoing requests, as well as run commands remotely and in the background recording login information for users logging into the web application.

Defense requires knowledge

Microsoft expects that attackers will increasingly exploit IIS backdoors. The company therefore believes that it is critical that those who have to defend systems against such attacks have knowledge and understanding of how these attacks work.

See also  HSBC covers twelve of the energy giants

In the blog post, the company discusses in more detail what often characterizes the different parts of these attacks, including initial attacks using a web shell, executing commands, accessing login information, and information theft.



Hanisi Anenih

Hanisi Anenih

"Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst."

Leave a Reply

Your email address will not be published. Required fields are marked *