Nov 5, 2021
98 Views
0 0

IISpy: A complex server‑side backdoor with anti‑forensic features

Written by

The second in our series on IIS threats dissects a malicious IIS extension that employs nifty tricks in an attempt to secure long-term espionage on the compromised servers
ESET researchers have discovered and analyzed a previously undocumented backdoor, implemented as an extension for Internet Information Services (IIS), Microsoft’s web server software. The backdoor, which we named IISpy, uses a variety of tricks to interfere with the server’s logging and to evade detection, in order to perform long-term espionage. IISpy is detected by ESET security solutions as Win{32,64}/BadIIS.
This blogpost is the second installment in our series where ESET researchers put IIS web server threats under the microscope – the other parts discuss IIS malware used for cybercrime and SEO fraud, respectively. For a comprehensive guide to how to detect, analyze and remove IIS malware, refer to our white paper Anatomy of native IIS malware, where IISpy is featured as one of the studied families (Group 7).
Anatomy of native IIS malware
According to ESET telemetry, this backdoor has been active since at least July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET security solutions), which is a privilege escalation tool. We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.
According to our telemetry, IISpy affects a small number of IIS servers located in Canada, the USA and the Netherlands – but this is likely not the full picture, as it is still common for administrators to not use any security software on servers, and thus our visibility into IIS servers is limited.
Because IISpy is configured as an IIS extension, it can see all the HTTP requests received by the compromised IIS server, and shape the HTTP response that the server will answer with. IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant. As shown in Figure 1, the operator (not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.
The following backdoor commands are supported:
IISpy ignores all other HTTP requests sent to the compromised IIS server by its legitimate visitors – of course, these are still handled by the benign server modules.
Figure 1. IISpy backdoor control mechanism
The control requests from IISpy’s operators have a predefined structure, with a specific (hidden) relationship between the Cookie and Host headers, and the URL. To identify such requests, IISpy first computes the MD5 hash of both the URL and Host header of an inbound HTTP request, and splits each MD5 into four double words:
Then, it verifies that the Cookie header contains a substring built from these values:
Figure 2 illustrates how this substring is assembled. Backdoor commands are embedded in the HTTP body, AES‑CBC encrypted and base64 encoded.
Figure 2. IISpy control HTTP request format
Note that this structure of control requests is unique to IISpy: all the other known IIS backdoors (that we have documented in our white paper Anatomy of native IIS malware) are controlled by hardcoded passwords, specific URIs or custom HTTP headers. As opposed to those “secrets”, IISpy’s control requests are more difficult to fingerprint and find in logs, which is an attempt to keep its C&C communication unnoticed.
Another such trick is used for the other side of the communication: IISpy embeds its encrypted and encoded response within a fake PNG image, between the PNG file headers as a TEXT or BLOB chunk. To reply to a control HTTP request, IISpy replaces the original HTTP response body (sent by the IIS server) with the fake PNG file, and sets the Content-Type header to image/png to give more credibility to this charade.
Both sides of the C&C communication are AES-CBC encrypted and base64 encoded, using these parameters:
From the technical standpoint, IISpy is implemented as a native IIS module – a C++ DLL deployed in the %windir%system32inetsrv or the %windir%SysWOW64inetsrv folder on the compromised IIS server, under the name cache.dll or logging.dll.
IISpy is configured as an IIS extension in the %windir%system32inetsrvconfigApplicationHost.config configuration file, and so it is loaded automatically by the IIS Worker Process (w3wp.exe), which handles all requests sent to the IIS web server. As far as execution and persistence goes, configuring IISpy as an IIS module itself checks all the boxes – all that’s left to implement inside the malicious module is the actual request processing (and as a bonus, a few anti-detection and anti-forensic tricks). We cover both in this section.
IISpy is written using the IIS C++ API, and uses instances of IHttpContext, IHttpRequest and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.
As required by all native IIS modules, it exports a function called RegisterModule, where it creates an instance of its core classes and registers their methods for server events using the IHttpModuleRegistrationInfo::SetRequestNotifications method, as shown in Figure 3.
Figure 3. IISpy’s RegisterModule export
IISpy’s core class is inherited from CHttpModule and, as seen in Figure 4, overrides three of its methods – event handlers for the server events:
IISpy registers these handlers with the highest priority (via the IHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since several IIS modules (malicious and regular) can be registered for the same event, this ensures that IISpy’s handler will be executed before any other handlers registered for the same event.
Figure 4. IISpy’s core class implements three event handlers
In its OnEndRequest handler, IISpy decrypts the HTTP body of an attacker’s request and extracts its parameters, which are organized as key-value pairs and listed in Table 1.
Table 1. IISpy attacker request parameters
If the credentials are present, IISpy uses them to log in as the user (via LogonUserW, ImpersonateLoggedOnUser) to execute the backdoor commands in the user’s context. The backdoor commands and arguments are also organized as nested key-value pairs, as listed in Table 2.
Table 2. IISpy backdoor commands and arguments
After executing the backdoor command, IISpy encrypts and encodes its return data and uses it to modify the HTTP response to the attacker’s request. The return data is also organized as key-value pairs, with the entries listed in Table 2, plus two additional entries based on the GetLastError result (or custom error messages):
Finally, IISpy implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests. As shown in Figure 5, these steps are taken:
With the log entries modified this way, the attackers attempt to further hide traces of their malicious activities, to make potential forensic analysis more difficult.
Figure 5. IISpy modifies log entries for attacker requests
IISpy is a complex server-side backdoor misusing the extensibility of IIS web server software for its persistence, execution and C&C mechanisms. With its tricks to blend in with the regular network traffic, and to clear incriminating logs, it is designed for long term espionage on compromised IIS servers.
Organizations that handle sensitive data on their servers should be on the lookout, such as organizations that have the Outlook on the web (OWA) service enabled on their Exchange email servers – OWA is implemented via IIS, and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation.
Additional technical details on the malware, Indicators of Compromise and YARA rules can be found in our comprehensive white paper, and on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.
Win32/BadIIS.F
Win64/BadIIS.U
22F8CA2EB3AF377E913B6D06B5A3618D294E4331
435E3795D934EA8C5C7F4BCFEF2BEEE0E3C76A54
CED7BC6E0F1A15465E61CFEC87AAEF98BD999E15
cache.dll
logging.dll
Note: This table was built using version 9 of the MITRE ATT&CK framework.

TacticIDNameDescription
Resource DevelopmentT1587.001Develop Capabilities: MalwareIISpy is a custom-made malware family.
T1588.002Obtain Capabilities: ToolOperators of IISpy have used Juicy Potato , a local privilege escalation tool.
Initial AccessT1190Exploit Public-Facing ApplicationIISpy likely obtains its initial access to the IIS server via some vulnerability in the web application or on the server, before it uses the privilege escalation tool Juicy Potato to obtain the administrative privileges that are required to install a native IIS module.
ExecutionT1059.003Command and Scripting Interpreter: Windows Command ShellIISpy supports a backdoor command that uses the Windows command shell to execute shell commands on the compromised IIS server.
T1569.002System Services: Service ExecutionIIS server (and by extension, IISpy) persists as a Windows service.
PersistenceT1546Event Triggered ExecutionIISpy is loaded by IIS Worker Process (w3wp.exe) when the IIS server receives an inbound HTTP request.
Privilege EscalationT1068Exploitation for Privilege EscalationOperators of IISpy have used a local privilege escalation tool Juicy Potato to elevate privileges.
Defense EvasionT1134.001Access Token Manipulation: Token Impersonation/TheftIISpy has the ability to execute backdoor commands in another user’s context (via LogonUserW, ImpersonateLoggedOnUser).
T1070Indicator Removal on HostIISpy has the ability to sanitize logging of attacker requests on the IIS server.
T1070.006Indicator Removal on Host: TimestompIISpy supports a backdoor command to modify file timestamps.
CollectionT1005Data from Local SystemIISpy supports a backdoor command to collect and exfiltrate files from the compromised IIS server.
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsIISpy is a passive network implant: Adversaries send HTTP requests to the compromised IIS server to control the backdoor.
T1001Data ObfuscationIISpy operators send commands with a specially constructed combination of URLs, Host headers and cookies.
IISpy exfiltrates data in a fake PNG file (a PNG header followed by non-image data), in an attempt to make its C&C traffic look like regular network traffic.
T1132.001Data Encoding: Standard EncodingIISpy encodes the C&C communication with base64 encoding.
T1573.001Encrypted Channel: Symmetric CryptographyIISpy uses AES-CBC to encrypt C&C communication.
T1105Ingress Tool TransferIISpy supports a backdoor command to upload additional tools to the compromised IIS server.
ExfiltrationT1041Exfiltration Over C2 ChannelIISpy supports a backdoor command to exfiltrate data and files from the compromised IIS server.

source

Article Categories:
Malware

Comments are closed.