HQ/EMEAFind out how we can help your business
Hackers are trying to exploit Internet Information Services (IIS) servers in Asia as part of an SEO poisoning campaign to deploy the BadIIS malware.
Based on reports, the campaign could be a financially motivated operation as the threat actors redirect users to illegal gambling websites, demonstrating that attackers utilise BadIIS for profit.
Some confirmed targeted Asian countries of this operation include the Philippines, Taiwan, Japan, South Korea, Singapore, Vietnam, Thailand, and India. Currently, Brazil is the only non-Asian country reportedly targeted by the campaign.
Attackers allegedly provide altered content to requests made to compromise servers. Some of these contents may include redirections to gambling sites to connecting and rogue servers hosting malware or credential harvesting pages.
The DragonRank group is the alleged operator of this BadIIS malware campaign.
Researchers suspect that the Chinese-speaking threat hacking group DragonRank has been distributing the BadIIS malware.
The DragonRank group is linked to Group 9, which uses compromised IIS servers for proxy services and SEO fraud. However, separate research found malware artefacts comparable to those employed by Group 11.
Group 11 has two mechanisms for executing SEO fraud and injecting suspicious JavaScript code into responses to valid visitor requests.
Furthermore, the researchers noted that the installed BadIIS can change the HTTP response header information requested from the web server. It examines the received HTTP header’s ‘User-Agent’ and ‘Referer’ fields.
If these fields contain specific search portal sites or phrases, BadIIS sends the visitor to a page affiliated with an illegal online gambling site rather than a reputable website.
The new campaign was discovered after China’s Funnull content delivery network (CDN) was connected to infrastructure laundering. The campaign is an active practice in which threat actors rent IP addresses from mainstream hosting providers such as AWS and MS Azure and use them to host criminal websites.
Funnull is reported to have rented at least 1,200 IP addresses from Amazon and nearly 200 from Microsoft, all of which have subsequently been removed.
Users in the earlier-mentioned countries in Asia should avoid clicking links on unknown websites, especially if they offer online gambling games. Threat actors have recently used these baits to deploy malware.
