Malicious modules for Internet Information Services (IIS) webserver software have been distributing malware and threatening e-commerce transactions and emails. This type of threat inserts itself in the middle of the server’s communication. It attempts to intercept incoming requests to the IIS server and then tamper with the way the server responds to these requests. This malware can be used for cyber crimes, cyber espionage, fraud and SEO (Search Engine Optimization) fraud.
There are currently as many as 14 malware families involved in this sort of attack.
The malware can create backdoors to allow remote execution, intercept traffic to steal information, modify responses in order to serve malicious content, compromise websites with malware and adware and compromise the server to become a C2 for the malware.
Attackers need to obtain elevated permissions in order to access the IIS server. Therefore, it is extremely important to use dedicated administrator accounts with strong and unique passwords. Stay current with patching and deploy endpoint security solutions, if possible.