New malware targets government servers and e-commerce transactions

ESET, the proactive digital threat detection company, has discovered a set of previously undocumented malware families. The new families, masquerading as malicious extensions to the Internet Information Services (IIS) web server software, target government servers and websites that perform e-commerce transactions.

  • Analysis shows details of hospital data hijacking ransomware
  • Ransomware remains top digital threat in August
  • Formbook dominates the world ranking of malware in August

IIS is a software for Windows web servers running on an extensible modular architecture, meaning users can add new functions or withdraw tools. It is used for managing and hosting web pages. In the research that identified the undocumented malware, ESET only evaluated the program’s native modules, in this case modules that run at the server level. The study found more than 55 new virus specimens, and classified them into 14 threat families, of which 55 these had not been previously catalogued.

For Camilo Gutiérrez Amaya, head of the Research Laboratory at ESET Latin America, these findings are worrying, as it is still rare for security software to be used on IIS servers, making it easier for attackers operate undetected for long periods.

Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News.

Every day a summary of the main news in the tech world for you!

How new threats work

ESET’s research identified that administrator access is required for malicious modules to be installed. Taking this into account, the research speculates that the infection can happen in two ways: modules modified with a Trojan, which, when installed, download the necessary malware; and use of configuration failures in IIS to hack and install non-legitimate content.

Image of the path the malware takes (Image: Playback/ESET)

As for what the malware is looking for, ESET’s research makes it clear that regardless of which of the 80 families is responsible for the attack, they all try to modify the way the IIS server responds to requests HTTP. However, response modification depends on each type of virus.

The study identified five modes of operation:

  • Backdoor, which allows criminals to remotely control the computer where IIS is installed;
  • Infostealer, used to steal access credentials and payment information;
  • Input mode , where the virus modifies HTTP responses sent to other servers, in order to infect them;
  • Proxy, which makes the IIS server become an important part the command and control operation of the malware;
  • SEO, which modifies internet access data from the infected server to redirect traffic to other pages, seeking to increase their rankings access on the internet.

For IIS users, ESET has created a series of recommendations that can help prevent or mitigate attacks of these new viruses.

  • Use dedicated accounts with unique and strong passwords for IIS server administration. Request multi-factor authentication (MFA) for these accounts;
  • Periodically install security updates for the operating system and carefully review which services are exposed to the Internet to reduce the risk of server exploit;
  • Consider using a web application firewall and/or endpoint security solution on the IIS server;
  • Only use trusted modules in IIS;
  • Check regularly that all installed modules are legitimate, ie signed by a trusted vendor or that have been intentionally installed.

The complete study, with all the information about the new threats, can be checked here .

Source: ESET

Did you like this article?

Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.


Related Articles

Back to top button