New C++ Based IIS Malware With Numerous Functionalities Mimics cmd.exe To Stay Undetected

Security researchers have uncovered a sophisticated malware strain targeting Microsoft’s Internet Information Services (IIS) web servers, leveraging C++ to deploy advanced evasion techniques and payload delivery mechanisms.

The malware disguises its core processes as the legitimate Windows command-line utility cmd.exe to bypass detection while executing malicious activities.

This include credential harvesting, lateral movement, and data exfiltration.

Palo Alto Networks’ Unit 42 researchers identified the malware during an incident response engagement at a European financial institution.

The attackers exploited a vulnerable IIS module to inject malicious code directly into server memory, avoiding file-based detection systems.

Unlike traditional IIS malware, this new malware operates exclusively in memory and communicates with command-and-control (C2) servers via encrypted HTTP/2 channels, mimicking standard administrative traffic.

The malware’s defining feature is its use of process hollowing to masquerade as cmd.exe.

Attackers inject the malicious payload into a suspended cmd.exe instance, replacing its legitimate code with custom C++ routines.

This allows the malware to inherit the trusted process name and evade behavioral analysis tools.

A reconstructed code snippet reveals the injection mechanism:-

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);  
LPVOID remoteMem = VirtualAllocEx(hProcess, NULL, payloadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  
WriteProcessMemory(hProcess, remoteMem, maliciousPayload, payloadSize, NULL);  
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteMem, NULL, 0, NULL);  

The malware employs multiple persistence mechanisms, including registry key modification and service creation, while utilizing Windows Management Instrumentation (WMI) for lateral movement across networks.

Notably, it intercepts HTTP requests using custom IIS filters to maintain stealth, dynamically altering its behavior based on incoming traffic patterns.

Unit 42’s analysis revealed that this new C++ based IIS malware command execution framework leverages Windows’ user-mode asynchronous procedure calls (APCs) to queue malicious tasks while maintaining the facade of legitimate cmd.exe activity.

This technique enables attackers to execute reconnaissance commands like whoami, ipconfig, and netstat without triggering endpoint detection alerts.

Security teams are advised to monitor IIS servers for unusual memory allocations and unexpected cmd.exe instances with open network connections.

Palo Alto Networks has released detection rules focusing on anomalous WMI event subscriptions and IIS module load patterns.

As of publication, no patch exists for the underlying IIS vulnerability, making configuration hardening and memory monitoring critical defenses.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.