Introduction
Cybersecurity researchers have identified a sophisticated cybercrime campaign targeting Internet Information Services (IIS) servers across Asia. The primary objective of this campaign is search engine optimization (SEO) manipulation, utilizing a malware variant known as BadIIS. This operation is believed to be financially motivated, as it redirects users to illegal gambling websites while also facilitating other malicious activities.
Targeted Regions and Sectors
The attack campaign has primarily impacted IIS servers located in India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. The affected servers belong to various sectors, including government institutions, universities, technology companies, and telecommunications firms. By compromising these high-value targets, the attackers gain control over the web traffic and can manipulate server responses for illicit gains.
Mechanism of Attack and Malware Functionality
Once an IIS server is compromised, BadIIS malware is installed to alter the content served to users. This allows attackers to redirect web traffic to unauthorized destinations, including gambling websites, phishing pages, and other rogue domains hosting malware. The malware specifically modifies HTTP response headers by analyzing the 'User-Agent' and 'Referer' fields. If certain search engine portals or keywords are detected, the user is redirected to fraudulent pages instead of legitimate content.
Trend Micro researchers Ted Lee and Lenart Bermejo noted that this technique enables cybercriminals to exploit SEO algorithms, artificially increasing the visibility of malicious sites while simultaneously defrauding legitimate businesses and unsuspecting users.
Attribution to DragonRank and Related Threat Groups
Evidence suggests that a Chinese-speaking cybercriminal group known as DragonRank is responsible for this operation. Cisco Talos previously linked DragonRank to SEO manipulation campaigns deploying BadIIS malware. Additionally, cybersecurity firm ESET identified connections between DragonRank and another entity known as Group 9, which has a history of using compromised IIS servers for proxy services and fraudulent SEO activities.
Interestingly, Trend Micro also discovered that the malware artifacts used in the campaign share similarities with a variant associated with Group 11. This malware version operates in two distinct modes: one designed for SEO fraud and another for injecting suspicious JavaScript code into web responses, further expanding the scope of manipulation.
Infrastructure Laundering and Broader Implications
Further investigation into the cybercriminal ecosystem has revealed links to a broader illicit infrastructure. Silent Push, a cybersecurity intelligence firm, has connected the China-based Funnull content delivery network (CDN) to a scheme referred to as infrastructure laundering. This tactic involves renting IP addresses from major hosting providers like Amazon Web Services (AWS) and Microsoft Azure to host criminal websites.
Funnull is believed to have leased over 1,200 IP addresses from AWS and nearly 200 from Microsoft. Although these malicious IPs have been taken down, new ones are continuously being acquired using fraudulent or stolen accounts. The infrastructure, labeled as Triad Nexus, is reportedly fueling a range of cybercrimes, including retail phishing schemes, romance baiting scams, and money laundering through counterfeit gambling platforms.
Conclusion
The ongoing exploitation of IIS servers through SEO fraud and malware injection underscores the evolving tactics employed by cybercriminals. The DragonRank group and its affiliates demonstrate a high level of sophistication, leveraging compromised servers to achieve financial gains and propagate malicious content. Organizations, particularly those in critical sectors, must implement stringent cybersecurity measures, including regular server audits, patch management, and enhanced monitoring, to mitigate the risks associated with such attacks. Additionally, the ongoing challenge of infrastructure laundering highlights the need for hosting providers to implement stricter controls against fraudulent account usage to curb cybercriminal operations.
0 Comments