Listen to this Post
2025-02-10
Cyber threat actors have been actively targeting Internet Information Services (IIS) servers across Asia in a new SEO manipulation campaign designed to install BadIIS malware. The campaign, identified by Trend Micro researchers, shows how malicious actors are exploiting SEO tactics for financial gain, redirecting legitimate users to illicit websites, including illegal gambling platforms. This emerging threat is affecting IIS servers in various sectors, including government, universities, and telecommunications, across several countries. Let’s take a deeper dive into how this attack operates and its broader implications.
Summary:
The BadIIS malware campaign is being deployed across IIS servers in countries like India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. It seems to be financially motivated, as it redirects web traffic to illegal gambling sites. The attackers are manipulating search engine optimization (SEO) techniques to alter the content served to users, introducing redirections to malicious websites or connecting them to servers that host malware or steal credentials.
Trend
As the campaign unfolds, researchers have also identified an infrastructure laundering operation by the China-based Funnull content delivery network (CDN). Funnull rents IP addresses from trusted cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure, to host criminal websites. This practice enables the group to maintain a steady stream of malicious activity, despite efforts by hosting providers to take down these IPs.
What Undercode Says:
The BadIIS malware campaign is a clear indication of the evolving sophistication of cyberattacks leveraging SEO manipulation for malicious purposes. What’s particularly noteworthy is the increasing shift toward financially motivated cybercrime, where attackers exploit popular platforms for monetary gain. By redirecting users to illegal gambling websites, threat actors are capitalizing on high traffic, even at the expense of exploiting legitimate infrastructure like IIS servers.
A notable aspect of this attack is the seamless integration of malware into seemingly legitimate web services. By manipulating SEO, attackers not only gain access to these web servers but also control how content is delivered to end-users. This technique opens the door for more targeted attacks, such as credential harvesting or malware delivery, through the altered web traffic.
The use of the BadIIS malware is a prime example of a growing trend in cybercrime—redirecting users to exploitative websites for financial benefits. The technique of modifying HTTP headers to target specific users based on the ‘User-Agent’ and ‘Referer’ fields represents a sophisticated method of identifying and targeting potential victims. The malware’s ability to serve different content to different users depending on these header fields is a concerning development.
Moreover, this campaign underscores the shifting nature of cybercriminal operations. While traditional attacks focused on large-scale breaches or direct exploitation of systems, we now see a more refined approach where threat actors are using compromised infrastructures for SEO manipulation. This allows them to remain under the radar longer, especially since they are utilizing trusted hosting services, such as AWS and Azure, to carry out their attacks. This stealthy method, known as infrastructure laundering, is particularly challenging for law enforcement and security researchers to track and combat.
The connection to Funnull and its use of rented IPs for malicious purposes further demonstrates the evolving nature of cybercrime. By relying on the infrastructure of trusted cloud providers, Funnull and similar groups can continue to evade detection, making it difficult to trace the origins of the attacks. The sheer scale of IP rentals—over 1,400 IPs from AWS and Microsoft—illustrates the vastness of the operation and its capacity to launch large-scale attacks.
As these types of attacks become more common, organizations must reevaluate their security strategies. It’s no longer enough to rely on traditional defenses, as attackers are continuously refining their techniques to exploit even the most trusted services. The use of SEO manipulation to spread malware not only highlights the need for better detection of malicious content but also reinforces the importance of monitoring infrastructure integrity and user traffic in real-time.
Given the interconnected nature of modern web services, addressing this issue requires a multi-layered approach, combining efforts from cloud providers, website administrators, and security researchers to identify and neutralize such threats early on. The global scale of this attack, targeting IIS servers across multiple countries, reinforces the need for international cooperation and collaboration in tackling cyber threats.
References:
Reported By: https://thehackernews.com/2025/02/dragonrank-exploits-iis-servers-with.html
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
