Security News > 2022 > October > Hackers use Microsoft IIS web server logs to control malware
The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services web server logs.
Like any web server, when a remote user accesses a webpage, IIS will log the request to log files that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and more.
These logs are typically used for troubleshooting and analytics, but a new report by Symantec shows that a hacking group is utilizing the novel technique of using IIS logs to send commands to backdoor malware installed on the device.
On the other hand, web server logs are used to store requests from any visitor worldwide and are rarely monitored by security software, making them an interesting location to store malicious commands while reducing the chances of being detected.
Depending on the string found in the IIS log, the malware will install additional malware, execute a command, or drop a tool that disables IIS logging.
While many defenders are likely already monitoring IIS logs for signs of web shells, those routines may need to be tweaked to also search for the command strings used in this campaign.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API (source)
- Microsoft: macOS bug lets hackers install malicious kernel drivers (source)
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)