John Southworth

Knowledge IIS power

IIS modules can be an attractive approach for APTs wishing to maintain persistence on an IIS server. While it is a niche threat, it is important to understand the types of malware and threat actors targeting these servers, and providing defenders the means of analysing and hunting for them.

In this talk, we will introduce what Microsoft IIS is, and how threat actors are using custom modules to infect IIS servers. We will present in detail our approaches to threat hunting for new malicious IIS module samples, highlighting the suite of YARA rules we have developed for both targeted and heuristic detection. Finally, we will give an overview of the current IIS threat landscape from our visibility, including case studies into custom IIS backdoors used by state sponsored threat actors as well as emerging, unattributed threat actors.

John is a principal threat intelligence analyst in PwC’s Global Threat Intelligence team. Having started his career tracking APTs, including North Korea-based and China-based threat actors, he runs a Developing Threats research desk to focus on understanding the emerging actors and vectors in the current threat landscape.