Security News > 2021 > August > Several Malware Families Targeting IIS Web Servers With Malicious Modules
A systematic analysis of attacks against Microsoft's Internet Information Services servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years.
IIS is an extensible web server software developed by Microsoft, enabling developers to take advantage of its modular architecture and use additional IIS modules to expand on its core functionality.
"In all cases, the main purpose of IIS malware is to process HTTP requests incoming to the compromised server and affect how the server responds to these requests - how they are processed depends on malware type," Hromcova explained.
Infections involving IIS malware typically hinge on server administrators inadvertently installing a trojanized version of a legitimate IIS module or when an adversary is able to get access to the server by exploiting a configuration weakness or vulnerability in a web application or the server, using it to install the IIS module.
After Microsoft released out-of-band patches for ProxyLogon flaws affecting Microsoft Exchange Server 2013, 2016, and 2019 earlier this March, it was not long before multiple advanced persistent threat groups joined in the attack frenzy, with ESET observing four email servers located in Asia and South America that were compromised to deploy web shells that served as a channel to install IIS backdoors.
Last month, researchers from Israeli cybersecurity firm Sygnia disclosed a series of targeted cyber intrusion attacks undertaken by an advanced, stealthy adversary known as Praying Mantis targeting internet-facing IIS servers to infiltrate high-profile public and private entities in the U.S. To prevent compromise of IIS servers, it's recommended to use dedicated accounts with strong, unique passwords for administration-related purposes, install native IIS modules only from trusted sources, reduce the attack surface by limiting the services that are exposed to the internet, and use a web application firewall for an extra layer of security.