Cybersecurity Threat Report: BadIIS Malware and SEO Manipulation Campaigns

Threat Actors Target IIS Servers in Asia with BadIIS Malware

Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware.

Financial Motivation Behind the Campaign

"It is likely that the campaign is financially motivated since redirecting users to illegal gambling websites shows that attackers deploy BadIIS for profit," Trend Micro researchers Ted Lee and Lenart Bermejo said in an analysis published last week.

Targets of the Campaign

Targets of the campaign include IIS servers located in India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. These servers are associated with government, universities, technology companies, and telecommunications sectors.

How the Campaign Works

Requests to the compromised servers can then be served altered content from attackers, ranging from redirections to gambling sites to connecting to rogue servers that host malware or credential harvesting pages.

DragonRank and Group 9 Linked to the Campaign

It’s suspected that the activity is the work of a Chinese-speaking threat group known as DragonRank, which was documented by Cisco Talos last year as delivering the BadIIS malware via SEO manipulation schemes.

Group 9 Leveraging Compromised IIS Servers for Proxy Services and SEO Fraud

The DragonRank campaign, in turn, is said to be associated with an entity referred to as Group 9 by ESET in 2021 that leverages compromised IIS servers for proxy services and SEO fraud.

Malware Altering HTTP Response Header Information

The installed BadIIS can alter the HTTP response header information requested from the web server. It checks the ‘User-Agent’ and ‘Referer’ fields in the received HTTP header.

Redirecting Users to Online Illegal Gambling Sites

If these fields contain specific search portal sites or keywords, BadIIS redirects the user to a page associated with an online illegal gambling site instead of a legitimate web page.

Infrastructure Laundering and Funnull CDN

The development comes as Silent Push linked the China-based Funnull content delivery network (CDN) to a practice it calls infrastructure laundering, in which threat actors rent IP addresses from mainstream hosting providers such as Amazon Web Services (AWS) and Microsoft Azure and use them to host criminal websites.

Triad Nexus Malicious Infrastructure

Funnull is said to have rented over 1,200 IPs from Amazon and nearly 200 IPs from Microsoft, all of which have since been taken down. The malicious infrastructure, dubbed Triad Nexus, has been found to fuel retail phishing schemes, romance baiting scams, and money laundering operations via fake gambling sites.

Continuous IP Acquisition

"But new IPs are continually being acquired every few weeks," the company said. "FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs."