New C++-Based IIS Malware Mimics cmd.exe to Evade Detection

A recent discovery by Palo Alto Networks’ Unit 42 has shed light on sophisticated malware targeting Internet Information Services (IIS) servers.

This malware, developed in C++/CLI, a rare choice for malware authors, has been designed to mimic the behavior of cmd.exe to evade detection.

The malware operates as a passive backdoor, integrating itself into the IIS server by registering for HTTP response events.

It filters incoming HTTP requests for specific headers, which are used to execute commands.

The commands and data are encrypted using AES and then Base64-encoded, adding a layer of complexity to its operations.

Technical Analysis

The malware has two versions, both of which were uploaded to VirusTotal from Thailand.

The newer version, compiled on May 9, 2023, employs a custom cmd.exe wrapper tool to execute commands, reducing the visibility of its activities by avoiding direct cmd.exe invocation from the IIS process.

This wrapper application is embedded within the malware and communicates via a named pipe, allowing it to redirect command-line commands from the command and control (C2) server and return results.

The malware supports a range of commands, including file management, process execution, and system information retrieval.

According to the Report, it also patches AMSI and ETW routines to evade detection by security software.

The use of C++/CLI for this malware is notable due to its rarity in the malware landscape.

This choice likely stems from the language’s ability to combine managed and unmanaged code, making analysis more challenging.

The malware’s sophistication and targeted nature suggest it may have been used in specific attacks, although attribution to a known threat actor remains elusive.

Detection and Protection

Palo Alto Networks’ Advanced WildFire and Cortex XDR/XSIAM solutions offer enhanced protection against this malware by leveraging memory analysis and behavioral threat protection.

These tools can identify and block both known and unknown malware, providing a robust defense mechanism against such sophisticated threats.

As the cybersecurity landscape continues to evolve, staying informed about emerging threats and employing advanced security solutions is crucial for organizations seeking to protect their infrastructure.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!