F5 researchers recently noticed a new campaign exploiting a vulnerability in Microsoft Internet Information Services (IIS) 6.0 servers (CVE–2017–7269) in order to mine Electroneum crypto-currency. Last year, ESET security researchers reported that the same IIS vulnerability was abused to mine Monero, and install malware to launch targeted attacks against organizations by the notorious “Lazarus” group. Lazarus is widely believed to be North Korean government hackers. This new campaign shows that there are still systems vulnerable to this year-old vulnerability on an operating system that was declared End-of-Life (EoL) three years ago.

• The campaign targets Windows IIS 6.0 servers through a vulnerability (CVE-2017-7269) released over a year ago.
• The “Squiblydoo” technique used to download and execute the malware.
• The malware binary is proxy aware and uses Transport Layer Security (TLS) encryption.
• The author named the malware file “lsass.eXe”, likely to camouflage it as the legitimate lsass.exe process.
• Almost all the attacks are coming from the US or China, and the malware hosting server resides in Beijing, China, inside China Unicom’s network.

Attackers Target Year-Old Vulnerability (CVE–2017–7269) Against EOL IIS 6.0

In March 2017, it was publicly disclosed that Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a new buffer overflow vulnerability in its WebDAV functionality. On successful exploitation, it is possible to remotely execute code. Upon release, it was reported that the vulnerability was already being exploited in the wild. Within two days, a Proof-of-Concept (POC) exploit was published.

IIS 6.0 is mainly, but not exclusively, part of Microsoft Windows Server 2003 Operating System (OS), which was placed into an “end of support” status by Microsoft two years prior to the vulnerability being released. At the time the vulnerability was released, Microsoft announced that the bug wouldn’t be fixed as the OS was EOL. Soon after Microsoft published a patch addressing the issue as there were still many servers running that OS, and exploit campaigns were active.

Shellcode Analysis

The exploit in this campaign is identical to the original POC but embeds a different shellcode to execute attacker’s commands.