Cybersecurity Alert: Sophisticated IIS Server Hijackings
Introduction to the Threat
A sophisticated cyberattack targeting Microsoft Internet Information Services (IIS) servers has come to light, revealing an alarming exploitation of long-standing security vulnerabilities. This ongoing campaign leverages exposed ASP.NET machine keys, enabling remote command execution and marketing strategies cloaked in fraud.
Background of the Attack
First detected in late August and early September 2025, this attack has impacted a diverse array of victims, from government entities to small businesses and e-commerce platforms, affecting around 240 server IPs and 280 domain names. It has become clear that the attackers are employing techniques that exploit vulnerabilities in ASP.NET viewstate deserialization—an area long known to security researchers.
The Role of ASP.NET Machine Keys
The core issue at play is the misuse of ASP.NET machine keys, cryptographic secrets that have been publicly accessible since 2003. These keys, initially shared in Microsoft Developer Network (MSDN) documentation as configuration examples, were inadvertently copied and pasted into production environments by countless administrators, leaving them vulnerable. Research has uncovered over 3,000 instances of these exposed machine keys existing in accessible code repositories and programming forums, making it easy for attackers to locate potential targets.
How the Attack Works
The attackers’ strategy capitalizes on these exposed machine keys by manipulating the viewstate data, granting them the ability to execute arbitrary code on vulnerable servers without needing additional authentication. Such exploitation can have devastating consequences for organizations, including unauthorized access to sensitive information and the manipulation of service functionalities.
Discovery of Malicious Modules
Cybersecurity analysts at HarfangLab identified a specific malicious module called "HijackServer" while monitoring compromised IIS servers. By tracking suspicious activity in server logs—particularly POST requests targeting ASP.NET applications with Chinese language settings—the researchers were able to piece together the initial exploit chain.
The attackers deployed a comprehensive toolkit disguised as “sys-tw-v1.6.1-clean-log.zip,” which contained both 32-bit and 64-bit versions of the malicious IIS modules, installation scripts, and a modified rootkit derived from an open-source project.
Phases of Infection and Control
After breaching a server, the attackers employed advanced privilege escalation techniques, utilizing methodologies known as EfsPotato and DeadPotato. This allowed them to create hidden local administrator accounts seamlessly, followed by the installation of two malevolent DLL files: scripts.dll and caches.dll. These became embedded as IIS modules named ScriptsModule and IsapiCachesModule, capable of intercepting HTTP traffic for nefarious purposes right from the start of the request processing.
Evasion and Persistence Mechanisms
One of the most striking aspects of this attack is the operational security of the threat actors. They employed a customized Windows kernel driver rootkit—dubbed Wingtb.sys—modified from the publicly available Hidden rootkit. This rootkit operates as a signed kernel component exploiting an expired certificate, a practice enabled by Microsoft’s policy that allows certain exceptions for certificates issued before mid-2015.
Rootkit Features
The rootkit’s capabilities include hiding files, registry keys, and processes, controlled via a companion command-line tool named WingtbCLI.exe. Additionally, attackers employed a post-installation script (lock.bat) that systematically concealed important artifacts and executed a command to delete all Windows Event log files, illustrating a striking anti-forensics technique.
The Module’s Additional Functions
The HijackServer module primarily focuses on search engine optimization (SEO) fraud linked to cryptocurrency investments. When Google crawlers request compromised pages, the module generates HTML content containing links to dubious cryptocurrency sites, effectively injecting them into legitimate search results.
This isn’t just financially motivated; the module also offers an open backdoor for remote command execution through the /scjg URL path, granting potential adversaries a persistent entry point into the systems. This dual function transitions the attack from simple SEO manipulation to a more serious security compromise, raising red flags regarding espionage and broader implications.
Final Thoughts on Defense
The vulnerabilities exploited in this attack underline a critical need for proactive security measures. Organizations utilizing IIS and ASP.NET must rigorously audit their machine keys, remain vigilant against privilege escalation techniques, and implement advanced detection tools to identify unusual HTTP requests or suspicious file behaviors. The HijackServer incident serves as a stark reminder of the ever-evolving landscape of cyber threats and the importance of robust security protocols.
