Trend Micro researchers have uncovered a new malicious campaign targeting Internet Information Services (IIS) servers across multiple Asian countries. The attackers, believed to be financially motivated, appear to be manipulating search engine optimization (SEO) tactics to deploy the BadIIS malware.
The malicious campaign, which targets IIS servers in countries including India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil, has been linked to a range of illicit activities. These activities include redirecting users to illegal gambling websites and potentially connecting them to rogue servers that either spread malware or harvest user credentials.
The targets of the attack include a wide array of sectors, including government agencies, universities, technology companies, and telecommunications firms. Compromised IIS servers are used to alter the content served to legitimate visitors, often redirecting them to malicious sites or triggering unauthorized connections to external servers.
The researchers believe that a Chinese-speaking threat group known as DragonRank is responsible for the observed campaign based on a several findings.
Last year, Cisco Talos documented the group for its use of SEO manipulation tactics to spread the BadIIS malware. This malware variant, which alters the HTTP response headers of web servers, targets users by manipulating the "User-Agent" and "Referer" fields in the received HTTP headers. When these fields contain specific search terms or portal sites, the malware redirects the affected user to a rogue online gambling site.
DragonRank is also believed to have ties to an entity known as Group 9, a cybercrime group detailed by ESET in 2021. Group 9 uses compromised IIS servers for proxy services and engages in SEO fraud schemes.
However, Trend Micro researchers found that the malware artifacts observed in this latest campaign show similarities with a variant previously attributed to Group 11, another threat group known for injecting malicious JavaScript code and conducting SEO fraud.
The BadIIS malware not only manipulates search engine results but also injects suspicious code into legitimate web responses, potentially making it harder for organizations to detect the malicious activity.
“IIS is one of the services widely adopted by many organizations, and its misuse can lead to serious consequences. Attackers can exploit IIS vulnerabilities to serve malicious content to legitimate visitors of compromised websites. During recent campaigns, new variants were primarily used to deliver content related to online gambling. This approach can be easily adapted for mass malware distribution and watering hole attacks that target specific groups,” the researchers noted.
