A sophisticated cyber campaign has been identified, leveraging vulnerabilities in Microsoft Internet Information Services (IIS) servers to deploy the BadIIS malware, a tool used for search engine optimization (SEO) fraud and malicious content injection.
The campaign, attributed to a Chinese-speaking threat actor group, has primarily targeted regions in Asia, including India, Thailand, and Vietnam, but its impact has extended globally.
A Multi-Faceted Threat to IIS Servers
The BadIIS malware operates by exploiting unpatched IIS servers to manipulate their functionality.
Once installed, the malware enables attackers to alter HTTP responses and redirect users to malicious websites or illegal gambling platforms.
It also serves as a proxy infrastructure for cybercriminals, anonymizing their operations and facilitating further attacks.
BadIIS employs two primary modes of operation:
- SEO Fraud Mode: The malware intercepts HTTP headers, analyzing fields like “User-Agent” and “Referer” for specific keywords associated with search engines. If these conditions are met, users are redirected to fraudulent websites instead of legitimate ones. This tactic is designed to manipulate search engine algorithms and boost the visibility of malicious sites.
- Injector Mode: In this mode, BadIIS injects obfuscated JavaScript into legitimate HTTP responses. This code redirects unsuspecting users to attacker-controlled domains hosting phishing schemes or additional malware.
Victimology
According to Trend Micro, the campaign has compromised over 35 IIS servers across industries such as healthcare, IT services, manufacturing, and media.
Notable targets include government institutions and corporate networks in countries like South Korea, Japan, Brazil, and Belgium.
The attackers have utilized web shells like ASPXspy to gain initial access and deployed tools such as Mimikatz for credential harvesting and PlugX for lateral movement within networks.
Evidence suggests that the attackers are a Simplified Chinese-speaking group operating under the codename “DragonRank.”
They have demonstrated a high level of technical sophistication by exploiting vulnerabilities in popular web applications like WordPress and phpMyAdmin.
To counteract threats posed by BadIIS and similar malware, organizations using IIS servers should adopt robust security measures:
- Regular Patching: Ensure all software is updated with the latest security patches to address known vulnerabilities.
- Access Control: Restrict administrative access to IIS servers using strong passwords and multi-factor authentication (MFA).
- Traffic Monitoring: Employ firewalls and intrusion detection systems to monitor network traffic for anomalies.
- Log Analysis: Continuously review IIS server logs for unusual activity or unauthorized module installations.
- Secure Configurations: Disable unnecessary services on IIS servers to minimize the attack surface.
The exploitation of IIS servers underscores the critical need for proactive cybersecurity measures.
Organizations must remain vigilant against evolving threats like BadIIS to safeguard their infrastructure from potential compromise.
 servers.){kind=link}