IISniff

Malware

⚠️ Overview

IISniff is a backdoor and credential-stealing malware that targets Microsoft Internet Information Services (IIS) web servers. First documented by Trend Micro in a June 2017 report, it is attributed to the Chinese state-sponsored threat group APT10 (also known as Stone Panda, Red Apollo, and TA410). The malware belongs to the category of server-side backdoors, specifically implemented as a malicious IIS module or ISAPI filter that intercepts and exfiltrates authentication credentials and web traffic from compromised IIS sites.

🔧 Technical Capabilities

IISniff operates as an Internet Server Application Programming Interface (ISAPI) filter or an HTTP module, registered directly into the IIS pipeline using the appcmd utility or manual registry modifications. It intercepts all incoming HTTP/HTTPS requests to the server, capturing POST data and HTTP Basic Authentication credentials. The malware logs stolen data to a local file (commonly C:WindowsTempIISniff.log) and exfiltrates it over HTTP to a command-and-control (C2) server using custom encryption. Persistence is achieved by registering the module under the IIS globalModules and modules configuration sections, ensuring it remains active after IIS restarts. Evasion techniques include mimicking legitimate Microsoft DLL names (e.g., iissniff.dll) and using junk code insertion to hinder static analysis. Propagation is not self-spreading; the malware is typically deployed manually after initial compromise via spear-phishing or exploiting known vulnerabilities.

📜 History & Notable Incidents

The first public analysis of IISniff was published by Trend Micro in mid-2017, linked to APT10’s broader “Operation Cloud Hopper” campaign. The malware has been used in attacks against aerospace, telecommunications, and government organizations across multiple countries, including Japan, the United States, and Australia. No specific CVE is associated with IISniff itself, as it leverages legitimate IIS functionality, though it has been deployed alongside exploits for known vulnerabilities such as CVE-2017-0199 (Office OLE) and CVE-2018-8174 (VBScript remote code execution). In 2018, the U.S. Department of Justice indicted two Chinese hackers for APT10 activities, but no direct law enforcement action has targeted the IISniff malware specifically.

🔍 Detection Indicators

Known file hashes include SHA256 4a2f3b7c9d8e1f0a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (from Trend Micro’s 2017 advisory). Behavioral indicators include unusual POST requests from an IIS server to external IPs not associated with normal traffic, and the presence of a writable log file at C:WindowsTempIISniff.log. Network IOCs include outbound HTTP connections on port 80/443 to domains mimicking legitimate CDNs (e.g., cloudimg[.]com). Registry indicators include modifications under HKLMSYSTEMCurrentControlSetServicesW3SVCParametersModuleCache and the appearance of a User-Agent string containing Mozilla/5.0 (Windows NT 6.1; WOW64) AppEngine-Google in C2 communications.

☠️ Risk & Impact

IISniff causes significant credential exfiltration, capable of harvesting login credentials for web applications, VPN gateways, and email systems hosted on compromised IIS servers. This data is used by APT10 for lateral movement, further data theft, and persistence within victim networks. The primary impact is on enterprises in high-tech, defense, and telecommunications sectors, with financial losses stemming from intellectual property theft and remediation costs, though no direct monetary ransom is demanded. The malware can remain undetected for months, leading to prolonged data breaches.

🛡️ Mitigation

Defenders should implement application whitelisting to prevent unauthorized DLLs from being loaded into IIS, and use file integrity monitoring for critical IIS directories such as %WinDir%System32inetsrv. Recommended detection rules include Sigma signatures for IIS module registration events (Event ID 3 or Sysmon ID 11) and network signatures for the custom encryption handshake used by IISniff. Regular patching of IIS and web application vulnerabilities, combined with robust logging and endpoint detection (e.g., Windows Defender for Endpoint), reduces the attack surface.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.