Cybersecurity researchers are calling attention to a search engine optimization (SEO) poisoning campaign likely undertaken by a Chinese-speaking threat actor using a malware called BadIIS in attacks targeting East and Southeast Asia, particularly with a focus on Vietnam.
The activity, dubbed Operation Rewrite, is being tracked by Palo Alto Networks Unit 42 under the moniker CL-UNK-1037, where “CL” stands for cluster and “UNK” refers to unknown motivation. The threat actor has been found to share infrastructure and architectural overlaps with an entity referred to as Group 9 by ESET and DragonRank.
“To perform SEO poisoning, attackers manipulate search engine results to trick people into visiting unexpected or unwanted websites (e.g., gambling and porn websites) for financial gain,” security researcher Yoav Zemah said. “This attack used a malicious native Internet Information Services (IIS) module called BadIIS.”
BadIIS is designed to intercept and modify incoming HTTP web traffic with the end goal of serving malicious content to site visitors using legitimate compromised servers. In other words, the idea is to manipulate search engine results to direct traffic to a destination of their choosing by injecting keywords and phrases into legitimate websites carrying a good domain reputation.
The IIS module is equipped to flag visitors originating from search engine crawlers by inspecting the User-Agent header in the HTTP request, allowing it to contact an external server to fetch the poisoned content to alter the SEO and cause the search engine to index the victim site as a relevant result for the terms found in the command-and-control (C2) server response.
Once the sites have been poisoned in this manner, all it takes to complete the scheme is ensnaring victims who search for those terms in a search engine and end up clicking on the legitimate-but-compromised site, ultimately redirecting them to a scam site instead.
In at least one incident investigated by Unit 42, the attackers are said to have leveraged their access to a search engine crawler to pivot to other systems, create new local user accounts, and drop web shells for establishing persistent remote access, exfiltrating source code, and uploading BadIIS implants.
“The mechanism first builds a lure and then springs the trap,” Unit 42 said. “The lure is built by attackers feeding manipulated content to search engine crawlers. This makes the compromised website rank for additional terms to which it would otherwise have no connection. The compromised web server then acts as a reverse proxy — an intermediary server getting content from other servers and presenting it as its own.”
Some of the other tools deployed by the threat actors in their attacks include three different variants of BadIIS modules –
- A lightweight ASP.NET page handler that achieves the same goal of SEO poisoning by proxying malicious content from a remote C2 server
- A managed .NET IIS module that can inspect and modify every request that passes through the application to inject spam links and keywords from a different C2 server, and
- An all-in-one PHP script that combines user redirection and dynamic SEO poisoning
“The threat actor tailored all the implants to the goal of manipulating search engine results and controlling the flow of traffic,” Unit 42 said. “We assess with high confidence that a Chinese-speaking actor is operating this activity, based on direct linguistic evidence, as well as infrastructure and architecture links between this actor and the Group 9 cluster.”
The disclosure comes weeks after ESET detailed a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam with a malicious IIS module codenamed Gamshen to facilitate SEO fraud.
