An internet security company, ESET has uncovered a new undocumented backdoor which disguises as an extension for Internet Information Services(IIS) for the espionage on target host. The malware tricks the victim by interfering with the servers logging mechanism to stay under the radar on infected machine for achieving its objectives.
Experts believe that this backdoor seems be active atleast from July2020 and was using the privilege escalation tool named “Juicy Potato” during the campaign. “We suspect the attackers first obtain initial access to the IIS server via some vulnerability, and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension.” reads the blog post.
During the analysis, the team has observed that IISpy can see all kinds of traffic received at the compromised IIS server which can be modified as per the requirement for attack such as communicating with the CnC server.
“The operator (not the backdoor) initiates the connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker request, extracts and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.” stated by the ESET researchers.
The list of commands supported by the backdoor are:
- Get system information
- Upload/download files
- Execute files or shell commands
- Create a reverse shell
- Create/list/move/rename/delete files and folders
- Create a mapping between a local and a remote drive
- Exfiltrate collected data
Experts also observed that “IISpy is implemented as a native IIS module – a C++ DLL deployed in the %windir%\system32\inetsrv\ or the %windir%\SysWOW64\inetsrv folder on the compromised IIS server, under the name cache.dll or logging.dll.”
Indicators of Compromise
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1