CyberSecurity news
FlagThis
info@thehackernews.com (The Hacker News)@The Hacker News
//
A recent surge in cyberattacks has revealed that Microsoft Internet Information Services (IIS) servers are being targeted to deploy the BadIIS malware. This malware is designed for search engine optimization (SEO) fraud and malicious content injection. The campaign has been attributed to a Chinese-speaking group known as DragonRank, and it has been observed primarily in Asia, including India, Thailand, and Vietnam, with potential impact in other regions. Over 35 IIS servers across various industries, including government, universities, technology, telecommunications, and e-commerce sectors, have been compromised.
The BadIIS malware exploits vulnerabilities in unpatched IIS servers, allowing attackers to manipulate HTTP responses. It operates in two primary modes. In SEO fraud mode, it intercepts HTTP headers to identify traffic from search engines and redirects users to fraudulent gambling sites. In injector mode, it embeds obfuscated JavaScript into HTTP responses, redirecting users to attacker-controlled domains hosting malware or phishing schemes. Trend Micro's analysis has linked the malware to Chinese-speaking threat actors through domain names and code patterns written in simplified Chinese, and they also employ batch scripts for automated installation of malicious IIS modules.
ImgSrc: blogger.googleu
References :
The BadIIS malware exploits vulnerabilities in unpatched IIS servers, allowing attackers to manipulate HTTP responses. It operates in two primary modes. In SEO fraud mode, it intercepts HTTP headers to identify traffic from search engines and redirects users to fraudulent gambling sites. In injector mode, it embeds obfuscated JavaScript into HTTP responses, redirecting users to attacker-controlled domains hosting malware or phishing schemes. Trend Micro's analysis has linked the malware to Chinese-speaking threat actors through domain names and code patterns written in simplified Chinese, and they also employ batch scripts for automated installation of malicious IIS modules.
ImgSrc: blogger.googleu
Share:
References :
- gbhackers.com: GBHackers article on cybercriminals targeting IIS servers with BadIIS malware.
- The Hacker News: The Hacker News article details DragonRank's exploitation of IIS servers using BadIIS malware.
- Cyber Security News: Hackers Exploiting IIS Servers to Deploy BadIIS Malware on Servers
- gbhackers.com: Cybercriminals Target IIS Servers to Spread BadIIS Malware
- Know Your Adversary: 041. BadIIS: Hunting and Detection
- ciso2ciso.com: Report describing BadIIS malware and its functionalities.
- ciso2ciso.com: Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware.
- www.trendmicro.com: TrendMicro published a report on a Chinese-speaking threat actor using BadIIS malware.
- : InfoSec reports on DragonRank exploiting IIS servers for SEO fraud and gambling redirects.
- Virus Bulletin: Trend Micro's Ted Lee & Lenart Bermejo analyse an SEO manipulation campaign targeting countries in Asia including India, Thailand & Vietnam. Threat actors exploit vulnerable IIS servers to install the BadIIS malware on the compromised servers.
Classification:
- HashTags: #IISservers #BadIIS #DragonRank
- Company: Microsoft
- Target: IIS Servers
- Attacker: DragonRank
- Product: IIS
- Feature: SEO rankings
- Malware: BadIIS
- Type: Malware
- Severity: Major