The primary in our sequence on IIS threats seems at a malicious IIS extension that intercepts server transactions to steal bank card data
ESET researchers have found and analyzed a beforehand undocumented trojan that steals fee data from e-commerce web sites’ prospects. The trojan, which we named IIStealer, is detected by ESET safety options as Win64/BadIIS.
This blogpost is the primary installment in our sequence the place ESET researchers put IIS internet server threats beneath the microscope. For a complete information to find out how to detect, analyze and take away IIS malware, discuss with our white paper Anatomy of native IIS malware, the place IIStealer is featured as one of many studied households (Group 5).
IIStealer is applied as a malicious extension for Web Data Providers (IIS), Microsoft internet server software program. Being part of the server, IIStealer is ready to entry all of the community communication flowing by the server and steal knowledge of curiosity to the attackers – on this case, fee data from e-commerce transactions.
As illustrated in Determine 1, IIStealer operates by intercepting common site visitors between the compromised server and its purchasers (the vendor and the patrons), focusing on HTTP POST requests made to particular URI paths: /checkout/checkout.aspx or /checkout/Fee.aspx.
At any time when a respectable web site customer makes a request to those checkout pages (1), IIStealer logs the HTTP request physique right into a log file (2), with out, in any means, interfering with the HTTP reply generated by the elements of the respectable web site (3).
Adversaries can then exfiltrate the collected knowledge by making a particular HTTP request to the compromised IIS server: as soon as IIStealer detects a request made to a selected URI (/privateness.aspx) with an attacker password included within the X-IIS-Information header (4), it embeds the collected knowledge within the HTTP response for that request (5,6).
With these capabilities, IIStealer is ready to steal bank card data despatched to e-commerce web sites that don’t use third-party fee gateways. Be aware that SSL/TLS and encrypted communication channels don’t safe these transactions towards IIStealer, because the malware can entry all knowledge dealt with by the server – which is the place the bank card data is processed in its unencrypted state.
The samples of this malware that we analyzed appear to be tailor-made for particular e-commerce web sites (with hardcoded checkout web page URIs). In line with our telemetry, focused had been a small variety of IIS servers within the USA, between September 2020 and January 2021, however that is doubtless affected by our restricted visibility into IIS servers – it’s nonetheless widespread for directors to not use any safety software program on these servers.
IIStealer is applied as a malicious, native IIS module – a C++ DLL dropped within the %windirpercentsystem32inetsrv folder on the compromised IIS server and configured within the %windirpercentsystem32inetsrvconfigApplicationHost.config file. In some instances, IIStealer is deployed beneath the title dir.dll and, as seen in Determine 2, makes use of a solid VERSIONINFO useful resource to imitate a respectable Home windows IIS module known as dirlist.dll.
As a result of it’s an IIS module, IIStealer is loaded routinely by the IIS Employee Course of (w3wp.exe), which handles the requests despatched to the IIS internet server – that is how IIStealer achieves persistence, and the way it can have an effect on the processing of incoming requests.
We don’t have any details about how the malware is unfold, however we all know that administrative privileges are required to put in it as a local IIS module, which narrows down the candidates for the preliminary compromise. A configuration weak spot or vulnerability in an online software, or the server itself, are doubtless culprits.
As for its technical traits, IIStealer implements a core class inherited from CHttpModule (module class) and overrides the CHttpModule::OnPostBeginRequest methodology with its malicious code. As with all native IIS modules, IIStealer exports a operate named RegisterModule (see Determine 3), the place it instantiates the module class and registers its strategies for server occasions – extra particularly, it registers for the RQ_BEGIN_REQUEST post-event notification that’s generated each time the server begins processing an inbound HTTP request. Because of this, the OnPostBeginRequest methodology is known as with every new request, which permits IIStealer to have an effect on the request processing.
Within the OnPostBeginRequest handler, IIStealer filters incoming HTTP requests by request URIs. All POST requests made to /checkout/checkout.aspx or /checkout/Fee.aspx are logged – together with their full HTTP our bodies – right into a file named C:WindowsTempcache.txt. These requests are made by respectable guests of the compromised e-commerce web sites and might comprise delicate data equivalent to private particulars and bank card numbers.
The collected knowledge may be exfiltrated by way of a particularly crafted HTTP request from the attacker. This request will need to have an X-IIS-Information HTTP header set to a hardcoded, 32-byte alphanumeric password (that we’ve got chosen to not disclose), and have to be despatched to a URL path specified within the malware pattern:
As soon as the malicious module detects such a request, it makes use of the IHttpResponse::Clear methodology to delete any HTTP response ready by the IIS server, and copies the unencrypted contents of the log file into the HTTP response physique utilizing the IHttpResponse::WriteEntityChunks API operate, as seen in Determine 4.
This enables the operators of IIStealer to entry and exfiltrate the collected knowledge by merely sending a particular request to the compromised IIS server – there isn’t a want for the malware to implement further C&C channels, or embed any C&C server domains in its configuration.
IIStealer is a server-side menace that eavesdrops on the communications between a compromised e-commerce web site and its prospects, with the purpose of stealing delicate fee data – however after all, malicious IIS modules may also goal credentials and different data. Although SSL/TLS is important in securing the transmission of the information between the consumer and the server, it doesn’t stop this assault situation as IIStealer is part of the server. This needs to be disturbing for all severe internet portals that wish to shield their guests’ knowledge, together with authentication and fee data.
One of the simplest ways to harden an IIS server towards IIStealer and different threats is to:
Use devoted accounts with sturdy, distinctive passwords for the administration of the IIS server.
Usually patch your OS, and punctiliously think about which companies are uncovered to the web, to cut back the danger of server exploitation.
Solely set up native IIS modules from trusted sources.
Think about using an online software firewall, and/or endpoint safety resolution in your IIS server.
Usually verify the configuration file %windirpercentsystem32inetsrvconfigApplicationHost.config, in addition to the %windirpercentsystem32inetsrv and %windirpercentSysWOW64inetsrv folders to confirm that every one the put in native modules are respectable (signed by a trusted supplier, or put in on objective).
For internet builders: Even when you don’t have management over the IIS server the place your internet service is hosted, you’ll be able to nonetheless take steps to cut back the influence on customers of your internet service within the case of a compromise, particularly:
Don’t ship the password itself to the server (not even over SSL/TLS); use a protocol equivalent to Safe Distant Password (SRP) to authenticate customers with out the necessity for the unencrypted password to be transmitted to the server, nor knowledge that may very well be used to reauthenticate. IIS infostealers are instance of why server-side hashing shouldn’t be adequate.
Keep away from unnecessarily sending delicate data from the online software; use fee gateways.
If you happen to determine a profitable compromise: notify all events concerned in any safety breach to allow them to take fast motion.
For customers: from the customer’s perspective, it’s unattainable to know whether or not an IIS server is compromised, however the following tips will enable you to cut back the danger:
Watch out about the place you enter your bank card quantity. Think about using fee gateways by trusted third-party suppliers on e-commerce web sites whose repute is unknown to you: with fee gateways, such web sites gained’t deal with the delicate fee data.
Control your credit score assertion for small or uncommon funds: usually small quantities are processed to check whether or not the playing cards are legitimate.
If you happen to spot one thing uncommon, notify your financial institution instantly.
Further technical particulars on the malware, Indicators of Compromise and YARA guidelines may be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: email@example.com.
Keep tuned for the subsequent installments of this sequence the place we cowl malicious IIS extensions used for cyberespionage and website positioning fraud.
Indicators of Compromise (IoCs)
ESET detection names
Filenames and paths
MITRE ATT&CK strategies
Be aware: This desk was constructed utilizing model 9 of the MITRE ATT&CK framework.
Useful resource DevelopmentT1587.001Develop Capabilities: MalwareIIStealer is a custom-made malware household.
ExecutionT1569.002System Providers: Service ExecutionIIS server (and by extension, IIStealer) persists as a Home windows service.
PersistenceT1546Event Triggered ExecutionIIStealer is loaded by IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Protection EvasionT1036.005Masquerading: Match Respectable Title or LocationIIStealer has been deployed beneath the title dir.dll, in an try and mimic a respectable Microsoft IIS module known as dirlist.dll.
T1027Obfuscated Recordsdata or InformationIIStealer makes use of string stacking in an try and keep away from some string-based detection.
Credential AccessT1056Input CaptureIIStealer intercepts community site visitors between the IIS server and its purchasers to gather delicate data equivalent to bank card particulars.
CollectionT1119Automated CollectionIIStealer routinely collects data from inbound HTTP requests, equivalent to bank card particulars.
T1074.001Data Staged: Native Information StagingIIStealer makes use of an area file to stage collected data.
Command and ControlT1071.001Application Layer Protocol: Net ProtocolsAdversaries ship HTTP requests to the compromised IIS server to manage IIStealer.
ExfiltrationT1041Exfiltration Over C2 ChannelIIStealer makes use of its C&C channel to exfiltrate collected knowledge: HTTP requests are despatched by the adversary to the compromised IIS server.