Cybercriminals are increasingly using malicious IIS web server extensions as a backdoor, due to their lower detection rates in comparison to web shells.

Use of IIS extensions as backdoors

Between January and May, the attackers targeted Exchange servers and deployed IIS extensions to gain access to victims' email mailboxes, steal credentials and sensitive data, and run commands.
  • After reconnaissance, it dumps credentials and uses a remote access method for a short duration. 
  • Then attackers install a custom IIS backdoor, FinanceSvcModel[.]dll, in the folder C:\inetpub\wwwroot\bin\.
  • This backdoor has built-in functions to perform Exchange management operations. This includes listing installed mailbox accounts and exporting mailboxes for exfiltration.
  • In the same attacks, web shells were dropped at this specific path %ExchangeInstallPath%\FrontEnd\HttpProxy\owa\auth\ by using the ProxyShell exploit.

Why use the IIS extension?

IIS extensions are hidden deep inside the compromised servers and use the same structure as genuine modules. Thus, they provide attackers a durable persistence mechanism, which can survive even the updates made to the server.

Additional insights 

Attackers used a plethora of additional tools and tricks to carry out the attacks:
  • They enabled WDigest registry settings among other things to steal the actual password, instead of the hash. Later, they used Mimikatz to dump local credentials and perform a DCSYNC attack.
  • Next comes the plink[.]exe tool to bypass any network restrictions and remotely access the server via tunneled RDP traffic.
  • Additionally, the attackers use PowerShDLL toolkit (an open-source project to execute PowerShell without invoking powershell(.)exe) for running remote commands.

Other IIS malware

  • Last month, an IIS malware, SessionManager, was used without being detected since March 2021 in attacks aimed at government and military entities from Asia, the Middle East, Africa, and Europe.
  • In December 2021, Owowa malware was delivered as IIS extensions onto Exchange servers to run commands and remotely steal credentials. It was loaded as a module within an IIS server.


IIS modules are usually not used as backdoors as compared to general web application threats such as web shells. Thus, it becomes challenging to detect these backdoors during file monitoring efforts. For protection, restrict access to IIS virtual directories and keep Exchange servers updated.
Cyware Publisher