Threat actors have recently targeted Internet Information Services (IIS) servers across various Asian countries to manipulate search engine optimization (SEO) and disseminate BadIIS malware. This malicious initiative appears to be financially driven, primarily redirecting users to illicit gambling sites.

According to researchers from Trend Micro, the campaign predominantly targets IIS servers located in nations like India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. The compromised servers belong to sectors such as government, academia, technology, and telecommunications. These attackers serve altered content on compromised servers, which includes redirects to gambling websites or connections to malicious servers hosting malware or phishing pages.

This ongoing campaign is attributed to a Chinese-speaking threat group known as DragonRank. Previous studies by Cisco Talos highlighted their involvement in distributing BadIIS malware through similar SEO manipulation tactics. Additionally, DragonRank has ties to a collective referred to as Group 9, noted by ESET for exploiting compromised IIS servers for proxy services and SEO fraud activities.

Trend Micro’s analysis reveals that the malware has features akin to those of another group, referred to as Group 11. This group employs two methods for executing SEO fraud, including injecting dubious JavaScript into the responses meant for legitimate visitors. The BadIIS malware can manipulate the HTTP response header, evaluating the ‘User-Agent’ and ‘Referer’ fields to determine if the parameters meet certain criteria, leading to redirection to gambling sites instead of legitimate ones.

Further developments in the cyber threat landscape involve the China-based Funnull content delivery network (CDN), linked to a scheme known as infrastructure laundering. In this instance, threat actors are renting IP addresses from reputable hosting services, like Amazon Web Services (AWS) and Microsoft Azure, to host illicit websites. Funnull reportedly rented a substantial number of IPs from AWS and Microsoft, which have since been shut down, but new IPs are continuously being acquired, often using fraudulent or stolen accounts.

These revelations underscore the ever-evolving tactics in cybercrime, where criminals exploit legitimate infrastructure to conceal their activities, making it critical for security measures to adapt and secure vulnerable assets against such malicious endeavors.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.