Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware.
“It is likely that the campaign is financially motivated since redirecting users to illegal gambling websites shows that attackers deploy BadIIS for profit,” Trend Micro researchers Ted Lee and Lenart Bermejo said in an analysis published last week,
Targets of the campaign include IIS servers located in India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. These servers are associated with government, universities, technology companies, and telecommunications sectors.
Requests to the compromised servers can then be served altered content from attackers, ranging from redirections to gambling sites to connecting to rogue servers that host malware or credential harvesting pages.
It’s suspected that the activity is the work of a Chinese-speaking threat group known as DragonRank, which was documented by Cisco Talos last year as delivering the BadIIS malware via SEO manipulation schemes.
The DragonRank campaign, in turn, is said to be associated with an entity referred to as Group 9 by ESET in 2021 that leverages compromised IIS servers for proxy services and SEO fraud.
Trend Micro, however, noted that the detected malware artifacts share similarities with a variant used by Group 11, featuring two different modes for conducting SEO fraud and injecting suspicious JavaScript code into responses for requests from legitimate visitors.
“The installed BadIIS can alter the HTTP response header information requested from the web server,” the researchers said. “It checks the ‘User-Agent’ and ‘Referer’ fields in the received HTTP header.”
“If these fields contain specific search portal sites or keywords, BadIIS redirects the user to a page associated with an online illegal gambling site instead of a legitimate web page.”
The development comes as Silent Push linked the China-based Funnull content delivery network (CDN) to a practice it calls infrastructure laundering, in which threat actors rent IP addresses from mainstream hosting providers such as Amazon Web Services (AWS) and Microsoft Azure and use them to host criminal websites.
Funnull is said to have rented over 1,200 IPs from Amazon and nearly 200 IPs from Microsoft, all of which have since been taken down. The malicious infrastructure, dubbed Triad Nexus, has been found to fuel retail phishing schemes, romance baiting scams, and money laundering operations via fake gambling sites.
“But new IPs are continually being acquired every few weeks,” the company said. “FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs.”
