Hi @ChrisB3127,
There are currently no articles dedicated to an official response to this malware. But according to research from the Microsoft 365 Defender Research team, attackers are increasingly using Internet Information Services (IIS) extensions as covert backdoors to servers. These backdoors hide deep within the target environment and provide attackers with a persistent persistence mechanism.
This Microsoft blog illustrates a new trend that attackers have been leveraging IIS extensions to covertly backdoor Windows servers. Malicious IIS extensions quietly open persistent backdoors into servers.
As stated in this blog posted by Pieter Arntz, there are several steps you can take to minimize the risk and consequences of malicious IIS extensions:
- Keep your server software up to date to minimize the risk of infection.
- Use security software that also covers your server.
- Regularly check for IIS modules loaded on exposed IIS servers, especially Exchange servers, using existing tools in the IIS server suite.
- Deploy a backup strategy and create regular backups for easy deployment when needed.
- Review licensing and access policies and incorporate credential hygiene.
- Prioritize alerts for server compromise patterns. It helps catch attacks during the exploration phase, the period when an attacker spends time exploring the environment after gaining initial access.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.
Best regards,
Yurong Dai