Windows IIS Servers Compromised
Expired Certificate Notice Pages Were Added to the Servers Prompting Visitors to Download a Malicious Phony Installer.
Windows IIS servers were compromised by threat actors to add expired certificate notification pages asking visitors to download a malicious fake installer.
The Internet Information Services (IIS) is Microsoft Windows web server software included with all Windows versions since Windows 2000, XP, and Server 2003.
The message shown on the malicious certificate expiration error pages reads:
Detected a potential security risk and has not extended the transition to [sitename]. Updating a security certificate may allow this connection to succeed. NET::ERR_CERT_OUT_OF_DATE.
The researchers at Malwarebytes Threat Intelligence noticed the fact that the malware was actually installed by making use of a fake update installer that was signed with a Digicert certificate.
TVRAT, also known as TVSPY, TeamSpy, TeamViewerENT, or Team Viewer RAT is the payload being dropped on the infected systems.
TVRAT is a malware designed to provide its operators full remote access to the infected hosts that works by silently installing and launching an instance of the TeamViewer remote control software.
RATs are harmful applications that allow hackers to get access to, monitor, and control computers that have been infected.
The key distinction between such lawful apps and RATs is that RATs are installed without the user’s knowledge. It’s worth noting that TVRAT is also known as TeamViewer, and it hides in the system by adopting the name of a genuine remote administration program.
TeamViewer server will reach out to a command-and-control (C2) server, in this way letting the attackers know that they can remotely take complete control of the newly compromised computer.
The TVRAT malware was noticed first back in 2013 when it was delivered via spam campaigns as malicious attachments that tricked targets into enabling Office macros.
While the mechanism adopted by the attackers to compromise IIS servers is unknown, attackers may compromise a Windows IIS server in a number of ways.
For example, the attack code for a serious wormable vulnerability discovered in the HTTP Protocol Stack (HTTP.sys), which is utilized by the Windows IIS web server, has been available publicly since May.
The security issue (identified as CVE-2021-31166) was addressed by Microsoft on the May Patch Tuesday, and it only affects Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.
Since then, there hasn’t been any malicious activity using this vulnerability in the wild, and most prospective targets were likely protected from assaults because home users with the most recent Windows 10 versions would’ve upgraded, and businesses don’t often use the most recent Windows Server versions.
However, in the past, state-sponsored threat actors have used a variety of different vulnerabilities to attack internet-facing IIS servers.
The operators behind the activity targeted Windows internet-facing servers, using mostly deserialization attacks, to load a completely volatile, custom malware platform tailored for the Windows IIS environment.