In recent cybersecurity developments, sophisticated threat actors have been targeting Windows Internet Information Services (IIS) web servers using malicious native modules. These attacks enable adversaries to intercept and manipulate web traffic stealthily, posing significant risks to organizations worldwide.
Understanding the Attack Vector
The campaign, first identified in February 2025, involves attackers gaining initial access to inadequately managed web servers. Once a foothold is established, they deploy a multi-stage attack chain:
1. Deployment of a .NET Loader Malware: This functions as a WebShell, providing initial remote access.
2. Installation of a Malicious IIS Native Module: This module ensures persistent control over the compromised server.
Attackers exploit legitimate IIS administrative tools to install their malware. For instance, they use the AppCmd.exe utility to register malicious modules, ensuring they are loaded by IIS worker processes (w3wp.exe).
Technical Mechanisms of the Malicious Module
Once installed, the malicious native module hooks into critical points of the HTTP request pipeline:
– OnGlobalPreBeginRequest: Intercepts requests at the global level.
– OnBeginRequest: Captures the initial call in the request-level pipeline.
– OnSendResponse: Controls response data just before transmission to users.
The module comprises several malicious classes, each serving distinct functions:
– WebdllServer: Executes ASP files by parsing query strings when the URL contains web.dll.
– RedirectServer: Manipulates HTTP responses to redirect users to attacker-controlled pages.
– AffLinkServer: Injects affiliate banners through malicious cookies or parameters.
– HiJackServer: Responds to hidden URIs for configuration management.
– UploadServer: Provides covert file upload functionality.
Evasion Techniques and Additional Malware
To evade detection, attackers deploy a rootkit utility named HijackDriverManager, featuring a Chinese-language interface. This tool utilizes the Winkbj.sys rootkit driver to conceal malicious files, registry keys, and processes from security products.
Compromised systems have also exhibited signs of Gh0st RAT, a potent backdoor commonly associated with Chinese Advanced Persistent Threat (APT) groups. This malware communicates with command and control servers, facilitating further exploitation.
Attribution and Motivations
Indicators such as the use of Gh0st RAT and Chinese-language components suggest that a Chinese-speaking threat group orchestrates this campaign. The attackers appear motivated by financial gain and data theft, leveraging compromised IIS servers to insert affiliate links into HTTP responses and deploy phishing pages to harvest sensitive information.
Mitigation Strategies
To defend against such sophisticated attacks, server administrators should implement the following measures:
– Apply Security Patches: Regularly update server operating systems with the latest security patches to address known vulnerabilities.
– Enable Behavior-Based Detection: Utilize security products that offer real-time, behavior-based detection capabilities to identify anomalous activities.
– Monitor IIS Module Installations: Keep a vigilant eye on IIS module installations, especially those involving AppCmd.exe, to detect unauthorized additions.
– Audit Web Server Configurations: Conduct regular audits of web server configurations to identify and rectify unauthorized changes.
– Implement Access Controls: Enforce strict access controls for administrative functions to limit potential attack vectors.
Broader Context of IIS Server Exploitation
The exploitation of IIS servers is not a novel phenomenon. Historically, these servers have been targeted due to their critical role in hosting web applications and services. Notable instances include:
– Code Red Worm (2001): This worm exploited a vulnerability in IIS, leading to widespread infections and defacements of websites.
– Cranefly Group (2022): Also known as UNC3524, this group utilized IIS web server logs to control malware, demonstrating the evolving tactics of threat actors.
– Lazarus Group (2023): This North Korean state-sponsored group hijacked IIS servers to distribute malware, highlighting the persistent threat to these platforms.
Conclusion
The recent campaign targeting Windows IIS web servers underscores the evolving sophistication of cyber threats. By leveraging native modules and advanced evasion techniques, attackers can maintain prolonged access to compromised systems. Organizations must adopt a proactive security posture, emphasizing regular updates, vigilant monitoring, and comprehensive access controls to mitigate these risks.
