Threat Research

Distribution of IIS Malware Targeting Web Servers (Larva-25003)

Ahnlab
Distribution of IIS Malware Targeting Web Servers (Larva-25003)
EXTRACT IOC
In February 2025, a Chinese-speaking threat actor exploited poorly managed South Korean IIS web servers using a malicious native module, .NET loader WebShell, and Gh0st RAT to intercept traffic, redirect users, and inject affiliate links for revenue and phishing attacks. (Affected: South Korean web servers, web hosting sector)

Keypoints :

  • Threat actor targeted poorly managed IIS web servers in South Korea using malware.
  • Installed a malicious IIS native module via AppCmd.exe to intercept and manipulate HTTP requests.
  • The IIS native module hooks into three key IIS events to control HTTP traffic globally.
  • Five malicious classes perform functions like redirecting users, serving affiliate banners, and uploading files.
  • HijackDriverManager utility with rootkit capabilities hides malicious files and registry keys from detection.
  • Gh0st RAT backdoor malware identified, linking the actor to Chinese APT groups.
  • .NET loader malware (WebShell) dynamically loads malicious assemblies in memory to execute commands.
  • Attack enables inserting affiliate links for revenue generation and redirecting users to phishing pages.
  • Security recommendations include applying updates and using behavior-based real-time detection tools.
  • Indicators such as MD5 hashes and attacker C2 IP address are provided for detection.

MITRE Techniques :

  • Initial Access (T1190) – Exploiting poorly managed web servers to gain entry.
  • Module and DLL Loading (T1129) – Installing malicious IIS native module using appcmd.exe command.
  • Process Injection (T1055) – Loading malicious DLL (caches.dll) into w3wp.exe process memory.
  • Web Shell (T1505.003) – Using .NET loader malware to execute web shell functions dynamically.
  • Rootkit (T1014) – Using HijackDriverManager utility to hide malware files and registry keys.
  • Command and Control (T1071.001) – Gh0st RAT communicating with C2 server 47.236.9[.]229:10086.
  • Data Manipulation (T1565) – Intercepting and modifying HTTP responses to redirect or inject content.
  • Phishing (T1566) – Redirecting users to phishing pages via manipulated HTTP responses.

Indicator of Compromise :

  • The article provides MD5 hashes of malicious files such as the IIS native module and .NET loader DLLs.
  • A specific Command and Control IP address (47.236.9[.]229 on port 10086) linked to Gh0st RAT is identified.
  • File names like “caches.dll” and “HijackDriverManager” are associated with the malware components.
  • The use of AppCmd.exe command syntax indicates potential configurations to detect malicious module installations.

Read more: https://asec.ahnlab.com/en/87804/

Views: 31

Tags: INITIAL ACCESS, APT, PHISHING, CHINA, WINDOWS, BACKDOOR