Unit 42’s analysis revealed that this new C++ based IIS malware command execution framework leverages Windows’ user-mode asynchronous procedure calls (APCs) to queue malicious tasks while maintaining the facade of legitimate cmd.exe activity. Security researchers have uncovered a sophisticated malware strain targeting Microsoft’s Internet Information Services (IIS) web servers, leveraging C++ to deploy advanced evasion techniques and payload delivery mechanisms. The malware employs multiple persistence mechanisms, including registry key modification and service creation, while utilizing Windows Management Instrumentation (WMI) for lateral movement across networks. The malware disguises its core processes as the legitimate Windows command-line utility cmd.exe to bypass detection while executing malicious activities. Unlike traditional IIS malware, this new malware operates exclusively in memory and communicates with command-and-control (C2) servers via encrypted HTTP/2 channels, mimicking standard administrative traffic. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attackers exploited a vulnerable IIS module to inject malicious code directly into server memory, avoiding file-based detection systems. Palo Alto Networks’ Unit 42 researchers identified the malware during an incident response engagement at a European financial institution. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Security teams are advised to monitor IIS servers for unusual memory allocations and unexpected cmd.exe instances with open network connections. Attackers inject the malicious payload into a suspended cmd.exe instance, replacing its legitimate code with custom C++ routines. Palo Alto Networks has released detection rules focusing on anomalous WMI event subscriptions and IIS module load patterns. This allows the malware to inherit the trusted process name and evade behavioral analysis tools. Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Mar 2025 12:55:04 +0000