An internet security company, ESET has uncovered a new undocumented backdoor which disguises as an extension for Internet Information Services(IIS) for the espionage on target host. The malware tricks the victim by interfering with the servers logging mechanism to stay under the radar on infected machine for achieving its objectives.

Experts believe that this backdoor seems be active atleast from July2020 and was using the privilege escalation tool named “Juicy Potato” during the campaign. “We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.” reads the blog post.

Source: ESET

During the analysis, the team has observed that IISpy can see all kinds of traffic received at the compromised IIS server which can be modified as per the requirement for attack such as communicating with the CnC server.

The operator (not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.” stated by the ESET researchers.

The list of commands supported by the backdoor are:

  • Get system information
  • Upload/download files
  • Execute files or shell commands
  • Create a reverse shell
  • Create/list/move/rename/delete files and folders
  • Create a mapping between a local and a remote drive
  • Exfiltrate collected data

Experts also observed that “IISpy is implemented as a native IIS module – a C++ DLL deployed in the %windir%\system32\inetsrv\ or the %windir%\SysWOW64\inetsrv folder on the compromised IIS server, under the name cache.dll or logging.dll.”

Indicators of Compromise

SHA-1

22F8CA2EB3AF377E913B6D06B5A3618D294E4331
435E3795D934EA8C5C7F4BCFEF2BEEE0E3C76A54
CED7BC6E0F1A15465E61CFEC87AAEF98BD999E15

Filenames

cache.dll
logging.dll

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Published by oxytivetech

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s