Full Report
Attackers obtain remote code execution through abuse of SQL-server environments (exploitation, SQL injection, or credential compromise) and attempt to install web shells. When detection (e.g., endpoint AV) blocks the web-shell stage they escalate to a multi-stage DLL loader ch...
Analysis Summary
# Incident Report: IIS Backdoor via Exposed ASP.NET Machine Keys
## Executive Summary
Threat actors, tracked as REF3927, gained initial access to environments by exploiting misconfigurations in IIS applications where the ASP.NET `MachineKey` (Validation/Decryption keys) were reused or public. This allowed for arbitrary command execution via `__VIEWSTATE` deserialization. Following initial compromise, the attackers deployed webshells (Godzilla), escalated privileges, dumped credentials using Mimikatz, and installed sophisticated, persistent native DLL/module backdoors (TOLLBOOTH), leading to potential data exfiltration and deep system compromise.
## Incident Details
- Discovery Date: Not explicitly stated (Implied detection occurred following malicious activity/reporting/analysis, updated globally Oct 27, 2025)
- Incident Date: Ongoing campaign, initial access detailed in related reports.
- Affected Organization: Multiple, hundreds of infections observed based on recurring TTPs.
- Sector: General web-facing services (implied by IIS/ASP.NET targeting).
- Geography: Undisclosed.
## Timeline of Events
### Initial Access
- Date/Time: Prior to Persistence stage.
- Vector: Software misconfiguration in IIS applications.
- Details: Attackers leveraged environments where the ASP.NET `MachineKey` (`ValidationKey` or `DecryptionKey`) was reused or publicly exposed, enabling them to execute arbitrary commands through malicious `__VIEWSTATE` deserialization.
### Lateral Movement
- Details: Following foothold, actors attempted account creation and credential dumping using Mimikatz to likely compromise further systems or gain higher privileges necessary for advanced persistence. They also registered backdoors as global native or .NET modules located in standard system directories (`C:\Windows\System32\inetsrv\`).
### Data Exfiltration/Impact
- Details: The ultimate impact includes data exfiltration (implied goal of credential theft/system control). The malware pulled configuration files from `c[.]cseo99[.]com/config/.json` and utilized browser hijacking JavaScript, served via Alibaba CDN, to replace user content or redirect traffic.
### Detection & Response
- Date/Time: Detection occurred after initial compromise, leading to analysis published October 22, 2025.
- Details: Initial detection likely occurred due to suspicious file creation, anomalous network traffic, or behavioral anomalies related to webshell activity (e.g., Godzilla). Response required identifying and mitigating the deep persistence mechanisms, including kernel rootkits and custom DLL modules.
## Attack Methodology
- Initial Access: IIS misconfiguration leading to arbitrary command execution via `__VIEWSTATE` deserialization.
- Persistence: Deployment of a kernel driver rootkit (derived from Hidden, e.g., `Wingtb.sys` service "Wingtb") controlled by `WingtbCLI.exe`/`HijackDriverManager.exe`, and installation of TOLLBOOTH modules (`scripts.dll`, `caches.dll`) registered globally across System32 and SysWOW64.
- Privilege Escalation: Implied through credential dumping (Mimikatz) following initial foothold, necessary to deploy kernel-level persistence.
- Defense Evasion: Use of DKOM (Direct Kernel Object Manipulation) to hide processes, files, and registry keys. Minifilter hooks concealed module files and configuration. Registry callbacks were used to mask service keys.
- Credential Access: Credential dumping using Mimikatz, potentially eased by toggling the registry setting `WDigest\UseLogonCredential=1`.
- Discovery: Implied activities following initial access to establish environment context for customized payload deployment.
- Lateral Movement: Account creation attempts and credential dumping support this phase.
- Collection: Implied data staging within temporary paths (`C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\` or `.NET` specific path).
- Exfiltration: Not explicitly detailed, but associated with successful credential compromise and system control.
- Impact: System hijacking, user redirection/content replacement via JavaScript, and establishment of long-term backdoor access.
## Impact Assessment
- Financial: Unknown, but likely significant due to clean-up required for kernel rootkits.
- Data Breach: Highly likely, given credential dumping and persistent access. Type of data unknown.
- Operational: High impact due to installation of deep-level persistence (rootkits) and potential disruption from log clearing/system modification.
- Reputational: Potential harm due to observed history of user redirection/page hijacking.
## Indicators of Compromise
- Network Indicators (Defanged): `c[.]cseo99[.]com/config/.json`, `mlxya[.]oss-accelerate[.]aliyuncs[.]com/...` (for JS redirector)
- File Indicators:
- Webshells: `1.aspx` (Godzilla family)
- Persistence Modules: `C:\Windows\System32\inetsrv\scripts.dll`, `C:\Windows\System32\inetsrv\caches.dll` (and SysWOW64 equivalents)
- Artifact Staging: `C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\`, `C:\Windows\Temp\AcpLogs\`
- Rootkit Driver/Service: `Wingtb.sys` (Service: "Wingtb")
- Behavioral Indicators:
- Modification of `__VIEWSTATE` deserialization behavior.
- Creation of new service "Wingtb" controlled by `WingtbCLI.exe`/`HijackDriverManager.exe`.
- Deletion of Windows Event Logs (log clearing).
- Accessing specific operator endpoints: `/health`, `/debug`, `/conf`, `/clean`.
## Response Actions
- Containment Measures: Immediate isolation of affected IIS servers. Rotation of all ASP.NET Machine Keys across the organization to invalidate existing decryption capabilities.
- Eradication Steps: Comprehensive forensics to trace the rootkit installation (`Wingtb.sys`) and remove all injected native/DLL modules. Scrubbing and rebuilding of affected IIS application directories and configuration files.
- Recovery Actions: Patching or reconfiguring IIS applications to ensure unique and strong `MachineKey` values. Recreating affected user accounts and resetting passwords derived from credential dumps.
## Lessons Learned
- The primary vulnerability was insecure application configuration (`MachineKey` reuse), which bypassed typical RCE protections.
- Attackers are employing sophisticated, multi-stage payloads, culminating in kernel-level persistence (rootkits) when web shell deployment is blocked.
- Deep-level persistence mechanisms (kernel drivers) require specialized detection methods beyond standard AV/EDR focused on user-mode processes.
## Recommendations
- Mandate automated key management and regular rotation for all ASP.NET `MachineKey` values, ensuring they are unique per application instance.
- Implement strict Web Application Firewalls (WAF) rules to monitor and block complex deserialization payloads, even in seemingly benign parameters like `__VIEWSTATE`.
- Harden servers by restricting privileges necessary for installing kernel drivers and services. Regularly audit for suspicious DLL loading or unusual minifilter/registry call-back registration.
- Augment EDR solutions with advanced behavioral monitoring capable of detecting Direct Kernel Object Manipulation (DKOM) techniques used by rootkits.