ASP.NET Machine Key Exploit Lets Hackers Compromise IIS, Load Malicious Modules

A large-scale intrusion campaign tracked as REF3927 is exploiting misconfigured Microsoft IIS servers that reuse publicly exposed ASP.NET machine keys, security researchers from Elastic Security Labs and Texas A&M University System (TAMUS) Cybersecurity have revealed.

The attackers, believed to be Chinese-speaking, leveraged the weakness to deploy a malicious IIS module named TOLLBOOTH, alongside webshells, remote management tools, and a custom rootkit.

Exploitation Chain and Webshell Deployment

The attack begins when adversaries identify IIS servers configured with default or published ASP.NET machine keys, which are used to encrypt ViewState data and authentication cookies.

By abusing these keys, the hackers perform deserialization attacks through forged ViewState payloads, gaining command execution privileges on the host.

Captured packet traces revealed the injection delivered via a crafted __VIEWSTATE field using payloads generated by the open-source tool ysoserial.net. Successful exploitation returned an HTTP 500 error while granting shell access to the attacker.

Once inside, the group deployed Godzilla EKP, a forked webshell framework that supports AMSI bypasses, credential theft, and encrypted command execution.

Investigators also found the GotoHTTP Remote Monitoring and Management (RMM) tool installed for persistent access through legitimate cloud channels.

When expansion attempts failed, the attackers switched tactics, deploying the TOLLBOOTH IIS module and a kernel-level stealth driver derived from the open-source Hidden rootkit.

Malicious IIS Module and SEO Cloaking

The TOLLBOOTH module, built in both native and .NET versions, serves dual purposes: SEO cloaking and interactive command execution. It retrieves configuration files from the attacker infrastructure (c.cseo99[.]com) and exposes webshell access at /mywebdll with a hardcoded password.

Additional endpoints such as /health, /debug, and /clean enable management and configuration updates.

Researchers observed its primary function to manipulate search engine crawlers. By comparing User-Agent and Referer headers, the malware differentiates bots from human users.

Crawlers view benign, keyword-stuffed content improving search rankings, while real users are covertly redirected to fraudulent or malicious websites. Cross-linking of other infected domains amplifies visibility across engines like Google, Bing, and Yahoo.

The analysis identified more than 570 infected IIS servers worldwide, excluding systems within China, suggesting intentional geofencing. TAMUS Cybersecurity and Validin’s scanning revealed recurring reinfections on servers that failed to regenerate unique machine keys after cleanup.

Researchers warn that organizations using IIS must regenerate non-public machine keys, review ViewState configurations, and enforce endpoint protections like Elastic Defend to block rootkits and hidden modules before attackers monetize compromised web servers.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post ASP.NET Machine Key Exploit Lets Hackers Compromise IIS, Load Malicious Modules appeared first on Cyber Security News.