An internet security company, ESET has uncovered a new undocumented backdoor which disguises as an extension for Internet Information Services(IIS) for the espionage on target host. The malware tricks the victim by interfering with the servers logging mechanism to stay under the radar on infected machine for achieving its objectives.

Experts believe that this backdoor seems be active atleast from July2020 and was using the privilege escalation tool named “Juicy Potato” during the campaign. “We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.” reads the blog post.

Source: ESET

During the analysis, the team has observed that IISpy can see all kinds of traffic received at the compromised IIS server which can be modified as per the requirement for attack such as communicating with the CnC server.

The operator (not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.” stated by the ESET researchers.

The list of commands supported by the backdoor are:

  • Get system information
  • Upload/download files
  • Execute files or shell commands
  • Create a reverse shell
  • Create/list/move/rename/delete files and folders
  • Create a mapping between a local and a remote drive
  • Exfiltrate collected data

Experts also observed that “IISpy is implemented as a native IIS module – a C++ DLL deployed in the %windir%\system32\inetsrv\ or the %windir%\SysWOW64\inetsrv folder on the compromised IIS server, under the name cache.dll or logging.dll.”

Indicators of Compromise





–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s