Unknown installation/uninstallation vector for IIS native module backdoor

Determine the specific vulnerabilities or channels used by the attacker to install and uninstall a malicious Microsoft IIS native module backdoor on the impacted web server, despite all currently known system security vulnerabilities being patched, in order to identify the attack vector that evaded security hardening and auditing.

Background

The paper investigates a targeted backdoor implemented as a Microsoft IIS native module that remained undetected by deployed defenses for months. While discussing limitations of traditional security hardening and auditing, the authors note that, in their incident response case, the attacker could install and uninstall the malicious module despite patched vulnerabilities and whitelisting strategies.

This explicit uncertainty centers on the unknown attack vector or mechanism—whether via undisclosed vulnerabilities, misconfigurations, or other channels—that enabled persistent manipulation of IIS modules outside routine administrative controls. Resolving this question is important for strengthening defensive baselines and validating detection methodologies such as the proposed TABMAX framework.

References

However, in our situation, the attacker can install and uninstall the malicious module backdoor through vulnerabilities or channel(s) unknown to us even latest system security vulnerabilities are already patched.

Target Attack Backdoor Malware Analysis and Attribution  (2502.02335 - Lai et al., 4 Feb 2025) in Section 2, Limitation of Security Hardening, Audit, and Assessment