IISpy Backdoor Goes After Microsoft IIS Servers

The IISpy Backdoor is a dangerous Trojan, which targets a particular Windows service – the Internet Information Services (IIS.) The goal of the malware is reconnaissance and espionage. This is why it focuses on tasks that would allow it to evade detection and persist for as long as possible. According to experts, the first samples of the IISpy Backdoor date back to July 2020, so it seems like that this Trojan has been in use for over a year. The criminals are relying on a wide range of privilege escalation exploits and tools to give the implant the ability to manipulate Windows settings.

What is surprising about the backdoor is that it works like an extension for IIS servers. This may make detection even more difficult. Furthermore, it shows that the authors of the IISpy Backdoor are very familiar with the functionality and performance of Windows Internet Information Services.

What does the IISpy Backdoor do?

Since it runs as an extension for IIS, the IISpy Backdoor is able to easily spy on HTTP traffic and mix its own communication with legitimate network requests. This makes detection more difficult unless the victim uses the appropriate network monitoring tools to capture the shady connections. After the backdoor compromises a server successfully, its operators gain the ability to perform the following tasks:

  • Receive hardware and software details about the victim.
  • Upload or download files.
  • Execute files and remote commands.
  • Open a reverse shell.
  • Manage files and folders on the infected machine.
  • Exfiltrate files.

Typically, IIS malware is a lot nosier when it comes to communication with the remote server or exfiltrating data. They rely on specific HTTP headers or special passwords and keys to complete tasks such as remote code execution. IISpy Backdoor, however, uses a more advanced technique, which makes fingerprinting the dangerous packets much more difficult.


So far, there is not enough information to determine the infection vectors used to deliver the IISpy Backdoor. Furthermore, researchers have been unable to link any threat group to this campaign. Attacks like the one in question can be thwarted by using proper network security protocols, policies, and antivirus software.

August 11, 2021