โ˜ฐ

ASP.NET Machine Key Exploit Lets Hackers Compromise IIS, Load Malicious Modules

Published 2025-10-22 14:59:46 | cyberpress.org
Iis Asp.net Malware Cybersecurity Threat Actor: Chinese-speaking Attackers Sector: Information Technology Region: Global

๐ŸŽ™๏ธ Paranoid Newscast

๐ŸŽญ
Credibility
70%
๐Ÿ“Š
Risk Score
56%
๐ŸŽฒ
Likelihood
8/10
๐Ÿ’ฅ
Impact
7/10
๐Ÿ›ก๏ธ
Priority
4/5
A large-scale intrusion campaign, tracked as REF3927, is exploiting misconfigured Microsoft IIS servers that reuse publicly exposed ASP.NET machine keys. Attackers are deploying malicious modules and webshells to gain control over affected systems.

A large-scale intrusion campaign tracked as REF3927 is exploiting misconfigured Microsoft IIS servers that reuse publicly exposed ASP.NET machine keys, security researchers from Elastic Security Labs and Texas A&M University System (TAMUS) Cybersecurity have revealed. The attackers, believed to be Chinese-speaking, leveraged the weakness to deploy a malicious IIS module named TOLLBOOTH, alongside webshells, remote management tools, and a custom rootkit.

The attack begins when adversaries identify IIS servers configured with default or published ASP.NET machine keys, which are used to encrypt ViewState data and authentication cookies. By abusing these keys, the hackers perform deserialization attacks through forged ViewState payloads, gaining command execution privileges on the host.

Captured packet traces revealed the injection delivered via a crafted __VIEWSTATE field using payloads generated by the open-source tool ysoserial.net. Successful exploitation returned an HTTP 500 error while granting shell access to the attacker. Once inside, the group deployed Godzilla EKP, a forked webshell framework that supports AMSI bypasses, credential theft, and encrypted command execution. Investigators also found the GotoHTTP Remote Monitoring and Management (RMM) tool installed for persistent access through legitimate cloud channels.

When expansion attempts failed, the attackers switched tactics, deploying the TOLLBOOTH IIS module and a kernel-level stealth driver derived from the open-source Hidden rootkit. The TOLLBOOTH module, built in both native and .NET versions, serves dual purposes: SEO cloaking and interactive command execution. It retrieves configuration files from the attacker infrastructure (c.cseo99[.]com) and exposes webshell access at /mywebdll with a hardcoded password. Additional endpoints such as /health, /debug, and /clean enable management and configuration updates.

Researchers observed its primary function to manipulate search engine crawlers. By comparing User-Agent and Referer headers, the malware differentiates bots from human users. Crawlers view benign, keyword-stuffed content improving search rankings, while real users are covertly redirected to fraudulent or malicious websites. Cross-linking of other infected domains amplifies visibility across engines like Google, Bing, and Yahoo.

The analysis identified more than 570 infected IIS servers worldwide, excluding systems within China, suggesting intentional geofencing. TAMUS Cybersecurity and Validinโ€™s scanning revealed recurring reinfections on servers that failed to regenerate unique machine keys after cleanup. Researchers warn that organizations using IIS must regenerate non-public machine keys, review ViewState configurations, and enforce endpoint protections like Elastic Defend to block rootkits and hidden modules before attackers monetize compromised web servers.