BadIIS Malware Hijacks Asian Websites for SEO Fraud

Trend Micro researchers have uncovered a widespread SEO manipulation campaign orchestrated by a Chinese-speaking group utilizing a malware known as BadIIS. This campaign, primarily targeting organizations in Asia, exploits vulnerabilities in Internet Information Services (IIS) to redirect users to illegal websites and malicious servers.

“In 2024, we observed a substantial distribution of malware known as ‘BadIIS’ in Asia,” the researchers report. “BadIIS targets Internet Information Services (IIS) and can be used for SEO fraud or to inject malicious content into the browsers of legitimate users.”

The attackers exploit vulnerable IIS servers to install the BadIIS malware. Once installed, BadIIS alters the HTTP response header information, redirecting users to malicious websites based on specific keywords in the “User-Agent” and “Referer” fields. This technique allows the attackers to manipulate search engine rankings and drive traffic to their desired destinations.

The campaign has affected various sectors, including government, universities, technology companies, and telecommunications, with victims primarily located in India, Thailand, and Vietnam. However, the impact is not limited to these regions, as users visiting compromised servers in different regions can also be affected.

The BadIIS malware employed in this campaign shares similarities with variants previously used by other threat groups but features a new handler called “OnSendResponse.”

Trend Micro researchers emphasize the importance of IIS security and recommend that organizations proactively update and patch their systems to prevent exploitation. They also advise monitoring for abnormal IIS module installations, restricting administrative access, enforcing strong passwords with multi-factor authentication, and using firewalls to control network traffic.

Rate this post

Tags: BadIIS malware

Related Posts:

Leave a Reply Cancel reply