Threat actors have recently targeted Internet Information Services (IIS) servers across Asia in a campaign that manipulates search engine optimization (SEO) to deploy the BadIIS malware. The campaign, which affects countries such as India, Thailand, Vietnam, Japan, and others, primarily targets IIS servers in sectors like government, technology companies, and telecommunications. The attackers aim to exploit the compromised servers for financial gain, redirecting users to illegal gambling sites through malicious content injected into legitimate websites. Researchers believe the attack is motivated by profit, as it involves redirecting visitors to these fraudulent gambling platforms.
The BadIIS malware alters HTTP response headers on compromised servers by checking specific fields in the HTTP request, such as the “User-Agent” and “Referer” fields. If certain keywords or search portals are detected, BadIIS redirects users to fraudulent gambling sites instead of legitimate web pages. This manipulation allows attackers to exploit users’ trust in legitimate websites, capturing sensitive information or enticing them to engage with malicious sites. Trend Micro researchers have identified this behavior as part of a broader SEO fraud tactic, which has been linked to the Chinese-speaking DragonRank group.
DragonRank, identified in previous reports, is believed to be responsible for this SEO manipulation campaign. This group has been associated with an entity known as Group 9, which utilizes compromised IIS servers for proxy services and SEO fraud. The malware artifacts detected in this recent campaign share similarities with those previously used by another Chinese-speaking group, Group 11. These connections suggest a coordinated effort between different threat groups to exploit SEO vulnerabilities and inject malicious content into legitimate web traffic, contributing to larger-scale fraud operations.
Furthermore, the campaign is part of a wider issue of infrastructure laundering, where malicious actors use legitimate infrastructure to host their criminal activities. The China-based Funnull content delivery network (CDN) has been identified as a key player in this practice, renting IP addresses from trusted providers such as Amazon Web Services (AWS) and Microsoft Azure to host criminal websites. These rented IP addresses have been used for a variety of scams, including phishing, romance scams, and money laundering. Despite efforts to shut down these malicious IPs, the attackers continue to acquire new ones, posing an ongoing threat to online security.
