As part of a search engine optimization ( SEO ) manipulation campaign intended to install BadIIS malware, threat actors have been spotted attempting to install Internet Information Services ( IIS ) servers in Asia.
According to Trend Micro researchers Ted Lee and Lenart Bermejo in an analysis released next week,” It’s probable that the strategy is economically motivated because redirecting users to illegitimate gambling websites shows that attackers use BadIIS for income.”
Goals of the strategy include IIS servers located in India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. These machines are associated with authorities, institutions, technology companies, and telecommunications sectors.
Requests to the damaged servers can then be served with altered content from the attackers, including links to gambling-related websites and connections to rogue servers that house malware or credential-hacking websites.
It’s believed that , a Chinese-speaking risk organization that was identified by Cisco Talos last year as distributing the BadIIS ransomware via SEO manipulation schemes, is responsible for the action.
In turn, the DragonRank campaign is said to be associated with a group of people referred to as by ESET in 2021 who use hacked IIS machines to conduct substitute services and SEO fraud.
But, Trend Micro pointed out that the discovered malware-related artifacts have similarities to a feature used by Group 11, which uses two different methods for committing SEO fraud and putting cautious JavaScript code into responses for requests from legitimate visitors.
According to the researchers,” The mounted BadIIS can affect the HTTP response header information requested from the web server.” ” It checks the’ User-Agent’ and ‘ Referer’ grounds in the received HTTP folder”.
” BadIIS redirects the user to a page associated with an online illegitimate gambling site rather than a genuine web site” if these areas contain specific search portal websites or words.
The development comes as Silent Push links the China-based Funnull content delivery network ( CDN) to a practice known as infrastructure laundering, where threat actors rent IP addresses from well-known hosting companies like Amazon Web Services ( AWS ) and Microsoft Azure to host illegal websites.
Funnull is said to have rented over 1, 200 Firewall from Amazon and nearly 200 Firewalls from Microsoft, all of which have since been taken down. The harmful system, dubbed , has been found to power financial hacking schemes, love baiting scams, and money laundering operations via false gambling sites.
However, the company stated that “new IPs are constantly being acquired every dozen days.” “FUNNULL is likely to attain these IPs by using phony or stolen accounts to image to their CNAMEs.”