Anatomy of Native IIS Malware

Conference:  BlackHat USA 2021



Understanding and detecting IIS malware
  • IIS malware is active and used for cyber crime and espionage
  • Reverse engineering and analyzing malicious IIS modules can help prevent exploitation
  • Identifying implemented handlers and analyzing them is crucial
  • IIS malware processes HTTP requests and can be categorized into backdoors, info stealers, webshells, loaders, and bots
  • Attackers use various techniques to mark their HTTP requests as attacker requests
  • Defenders can use IOCs and rules to detect IIS malware
IIS malware can be difficult to detect and can cause serious damage to servers. One example is the use of backdoors by attackers to remotely control servers and execute commands. These backdoors are passive implants and can be initiated by the attacker through a special HTTP request. The malware can recognize these requests through various techniques, such as specific HTTP headers or hard-coded passwords. However, some malware families use more complex methods, such as calculating NDP hashes of values in the request and rearranging them to ensure it is an attacker request. Defenders need to be aware of these techniques and use IOCs and rules to detect and prevent IIS malware.


Internet Information Services (IIS) is Microsoft web server software for Windows with an extensible, modular architecture. It is not unknown for threat actors to misuse this extensibility to intercept or modify network traffic – IIS malware targeting payment information from e-commerce sites was first reported in 2013.Fast-forward to 2021, and IIS backdoors are being deployed via the recent Microsoft Exchange pre-authentication RCE vulnerability chain, with government institutions among the targets. As they implement OWA via IIS, Exchange email servers are particularly interesting targets for IIS malware.IIS malware should be in the threat model, especially for servers with no security products, yet no comprehensive guide has been published on the topic of its detection, analysis, mitigation and remediation.In this session, we fill that gap by systematically documenting the current landscape of IIS malware, focusing on native IIS modules (implemented as C++ libraries). Based on our analysis of 14 malware families – 10 of them newly reported – we break down the anatomy of native IIS malware, extract its common features and document real-world cases, supported by our full-internet scan for compromised servers.We walk through the essentials of reverse-engineering native IIS malware: dissecting its architecture, module classes, RegisterModule entry-point, request-processing pipeline hooks and malicious event handlers. We discuss parsing and processing HTTP requests, modifying responses and clearing logs.We don't focus on any single threat actor, malware family or campaign, but rather on the whole class of IIS threats – ranging from traffic redirectors to backdoors. We cover curious schemes to boost third-party SEO by misusing compromised servers, and IIS proxies turning the servers into a part of C&C infrastructure.We finish with a live demo showcasing interactions between a compromised server and attacker, and practical steps that defenders can take – using IIS server tools – to identify and remediate a successful compromise.