“The initial component of IIServerCore is an ASPX web shell named OutlookEN.aspx,” the researchers wrote. “This web shell contains an embedded Base64-compressed binary, the IIServerCore backdoor. When the web shell executes, it loads the backdoor into the memory of the w3wp.exe process and invokes the Run method, which is the main function of IIServerCore.”
Another component, called AssemblyExecuter V1, is designed to execute .NET assembly bytecode in memory, whereas the enhanced version, AssemblyExecuter V2, is capable of bypassing the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
“The component’s seemingly benign code structure results in minimal flagging by antivirus engines on VirusTotal, at the time of writing this article,” the researchers said. “This demonstrates a technique that threat actors can use to create tools that avoid overt code, which detection systems might interpret as malicious.”
