A new SEO poisoning campaign, dubbed Operation Rewrite by Palo Alto Networks’ Unit 42, is employing a malicious IIS module called BadIIS to manipulate search engine results. This attack, likely orchestrated by a Chinese-speaking actor, is primarily targeting East and Southeast Asia, with a specific focus on Vietnam. The attackers’ goal is to redirect unsuspecting victims from legitimate, compromised websites to unwanted sites for financial gain. The threat actor, tracked as CL-UNK-1037, shares infrastructure and architectural ties with the Group 9 and DragonRank threat clusters.
This attack works by leveraging a key feature of BadIIS: its ability to intercept and modify incoming HTTP web traffic on compromised servers. The malware injects keywords and phrases from its command-and-control server into legitimate websites that already have a good domain reputation. This trick makes search engines, which index the manipulated content, believe the victim site is highly relevant to those keywords. The attackers use this technique to ensure that when a victim searches for those keywords, the poisoned, legitimate site appears as a top result, setting the stage for the next phase of the attack.
Once a user clicks on the compromised site, the malware then redirects them to a scam site, which is often for gambling or pornography. The BadIIS module is designed to identify search engine crawlers by checking the User-Agent header in HTTP requests. This allows it to serve the poisoned content specifically to the crawlers, ensuring the manipulation is indexed without alerting the site’s administrators or regular users. The entire process acts like a two-step trap: first, the attackers “build the lure” by manipulating the search engine results, and then they “spring the trap” by redirecting the victim to a malicious destination.
In addition to BadIIS, the attackers have been observed using other tools, including a lightweight ASP.NET handler, a managed .NET IIS module, and an all-in-one PHP script. These tools serve the same purpose: proxying malicious content from remote servers to poison search results and control the flow of traffic. In some cases, the attackers have even used their access to a compromised server to move laterally, create new user accounts, and install web shells for persistent access, data exfiltration, and further malware deployment. This sophisticated approach highlights the group’s determination to exploit compromised servers for their fraudulent activities.
Unit 42 assesses with high confidence that the threat actor is Chinese-speaking, based on direct linguistic evidence and the infrastructure and architectural links between this group and the Group 9 cluster. The disclosure of Operation Rewrite comes shortly after ESET detailed a similar but separate threat cluster, GhostRedirector, which also uses a malicious IIS module to facilitate SEO fraud on compromised Windows servers in Brazil, Thailand, and and Vietnam. These similar campaigns underscore a growing trend of threat actors using SEO poisoning as a powerful tool to generate illicit revenue.
Reference:
