A sophisticated cyberattack campaign has recently come to light, targeting Microsoft Internet Information Services (IIS) servers by exploiting longstanding security vulnerabilities. This operation leverages publicly exposed ASP.NET machine keys to deploy malicious modules, facilitating remote command execution and search engine optimization (SEO) fraud.
Discovery and Scope
In late August and early September 2025, cybersecurity analysts identified this campaign affecting approximately 240 server IP addresses and 280 domain names across various sectors, including government agencies, small businesses, and e-commerce platforms. The attackers exploit a critical weakness in ASP.NET viewstate deserialization by utilizing machine keys that have been publicly available since 2003.
Exploitation of ASP.NET Machine Keys
ASP.NET machine keys are cryptographic secrets used to secure viewstate data in web applications. These keys, specifically the `ValidationKey` and `DecryptionKey`, ensure the integrity and confidentiality of viewstate data. However, many developers have copied these keys from public resources, such as online documentation or repositories, leaving their applications vulnerable. Microsoft had previously identified over 3,000 such exposed machine keys in code repositories and programming forums, creating a substantial pool of vulnerable targets. Once attackers obtain these keys, they can manipulate viewstate data to execute arbitrary code on targeted servers without requiring any additional credentials.
Attack Methodology
The attackers initiate their campaign by sending POST requests targeting ASP.NET applications. Logs from compromised systems revealed multiple suspicious requests with Chinese language settings (zh-tw) hitting root pages of vulnerable applications. Following initial access, the attackers deploy a comprehensive toolkit containing 32-bit and 64-bit variants of malicious IIS modules, installation scripts, and a customized rootkit derived from the open-source Hidden project.
Privilege Escalation and Module Deployment
After gaining initial access, the threat actors employ privilege escalation techniques known as EfsPotato and DeadPotato to create hidden local administrator accounts. They then install two malicious DLL files, `scripts.dll` and `caches.dll`, as IIS modules named `ScriptsModule` and `IsapiCachesModule`, respectively. These modules operate at the earliest processing stage of HTTP requests, intercepting traffic before legitimate applications can respond. The installation process includes establishing a working directory and configuring the modules to download additional components from staging servers.
Persistence and Evasion Tactics
To maintain persistence and evade detection, the attackers deploy a customized Windows kernel driver rootkit. This rootkit, a modified version of the publicly available Hidden rootkit, operates as a signed kernel component using an expired certificate from Anneng Electronic Co. Ltd. Despite the certificate’s expiration in 2014, it remains loadable on modern Windows systems due to Microsoft’s driver signing policy exceptions for certificates issued before July 2015. The rootkit provides comprehensive hiding capabilities for files, registry keys, and processes, managed through a companion command-line tool with commands translated into Chinese transliteration.
SEO Fraud and Backdoor Capabilities
The primary purpose of the deployed malicious module, designated HijackServer, appears to be focused on SEO fraud for cryptocurrency investment schemes. When Google’s web crawler requests pages from compromised servers, the module dynamically generates HTML content containing numerous links to dubious cryptocurrency websites. These generated pages successfully appear in legitimate Google search results, demonstrating the effectiveness of the poisoning technique. Additionally, the module exposes an unauthenticated remote command execution capability through a specific URL path, creating a persistent backdoor that any third party could exploit, regardless of whether they coordinated with the original attackers.
Implications and Recommendations
This campaign underscores the critical importance of securing web applications and servers against known vulnerabilities. Organizations are advised to:
– Review and Update Machine Keys: Ensure that ASP.NET machine keys are unique and not sourced from public examples.
– Apply Security Patches: Regularly update IIS servers and associated applications to mitigate known vulnerabilities.
– Monitor Server Logs: Implement continuous monitoring to detect unusual activities, such as unexpected POST requests or unauthorized module installations.
– Restrict Administrative Access: Limit administrative privileges and employ multi-factor authentication to reduce the risk of unauthorized access.
– Deploy Endpoint Detection and Response (EDR) Solutions: Utilize EDR tools to identify and respond to malicious activities promptly.
By proactively addressing these areas, organizations can enhance their security posture and reduce the risk of falling victim to similar sophisticated cyberattacks.
