IISpy Backdoor

IISpy is a newly detected backdoor that targets Internet Information Services, the webserver software developed by Microsoft. The threat is capable of executing corrupted commands, while its novel anti-detection and evasion techniques ensure IISpy's long-term presence on the compromised systems. The attack chain of the operation most likely begins with the threat actors exploiting a vulnerability in the IIS server to gain a foothold. Afterward, they deploy a privilege escalation tool known as Juicy Potato. The attackers use the received administrative privileges to deploy IISpy as a native ISS extension. So far, victims of the threat have been found in Canada, the USA and the Netherlands.

Threatening Capabilities

IISpy is implemented on the infected system as a native IIS module deployed in either the %windir%\system32\inetsrv\ or the %windir%\SysWOW64\inetsrv folders. The threat could be named cache.dll or logging.dll. Execution and persistence are achieved by configuring IISpy as an IIS extension in the %windir%\system32\inetsrv\config\ApplicationHost.config configuration file. 

By being configured as an IIS extension, the threat is capable of seeing all incoming HTTP requests on the infected server. It should be noted that IISpy acts as a passive network implant, i.e. it doesn't establish the communication with its Command-and-Control (C&C, C2) server. Instead, the attackers must initiate contact with the threat by sending a special HTTP request. The threat extracts the embedded backdoor command and proceeds with its execution. All legitimate HTTP requests are ignored and left to be handled by the normal server modules. IISpy threatening functionality includes gathering system information, fetching or uploading files, executing shell commands or files, manipulating the file system, creating a mapping between a local and a remote drive and exfiltrating data. 

Anti-Forensic Techniques

Unlike the other observed IIS backdoors that are controlled via hardcoded passwords, custom HTTP headers, or specific URLs, IISpy uses a unique structure for its controller requests. As a result, the threat's logs are harder to pinpoint. The outgoing responses employ a different technique. The threat embeds its response in a fake PNG image with the information being injected between the PNG file headers. All communication with the C&C server is encrypted with AES-CBC and base64 encoded. 

In addition, IISpy implements an OnLogRequest event handler. It allows the threat to modify the log entries related to the incoming requests from the attackers and mask them as normal-looking requests.