Full Report
Trend Micro uncovers BadIIS malware exploiting IIS servers for SEO fraud and malicious redirects
Analysis Summary
# Tool/Technique: BadIIS Malware
## Overview
BadIIS is malware designed to exploit vulnerabilities in Microsoft Internet Information Services (IIS) servers to conduct financially motivated cyberattacks, primarily focusing on Search Engine Optimization (SEO) fraud and user redirection.
## Technical Details
- Type: Malware family
- Platform: Microsoft IIS Servers
- Capabilities: Manipulation of HTTP responses, redirection of web traffic based on search history, injection of malicious JavaScript.
- First Seen: Not explicitly stated, but reported in February 2025.
## MITRE ATT&CK Mapping
The activities described map to techniques related to discovery and impact on web services:
- **TA0001 - Initial Access** (Implied through exploitation of IIS vulnerabilities)
- **TA0009 - Collection** (Checking user search history)
- **TA0011 - Command and Control** (Rerouting users to attacker-controlled sites)
- **TA0014 - Impact** (Manipulating search results/web content)
- **T1564.008 - Hide Artifacts: Steal or Tamper with Search Engine Optimization** (Directly relates to SEO fraud mode)
- **T1059.003 - Command and Scripting Interpreter: Windows Command Shell** (Likely used for initial compromise or maintaining persistence, though not explicitly detailed)
- **T1027.004 - Obfuscated Files or Information: URL Obfuscation** (If used to hide redirection targets)
## Functionality
### Core Capabilities
- **SEO Fraud Mode:** Inspects visitor traffic, specifically checking search history (from Google, Bing, Baidu) and redirecting legitimate users to illegal gambling websites. Utilizes keywords from search portals to differentiate genuine users from search engine bots.
- **Injector Mode:** Injects malicious JavaScript into legitimate web pages served by the compromised IIS server, rerouting users to attacker-controlled servers hosting malware or phishing content.
### Advanced Features
- **HTTP Response Manipulation:** Alters the server's response to achieve its redirection goals while attempting to mislead SEO trackers.
- **Bot/User Differentiation:** Sophisticated ability to distinguish between search engine bots (which should see legitimate content for indexing) and actual users (who should be redirected).
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not provided in the context]
- Network Indicators: [Attacker-controlled servers hosting illegal gambling sites or other malicious payload delivery mechanisms - defanged]
- Behavioral Indicators: Unauthorized modification of HTTP responses on IIS servers; installation of unauthorized IIS modules; unexpected redirection of user traffic originating from benign or legitimate websites served by IIS.
## Associated Threat Actors
- Suspected Chinese-speaking threat actors (based on extracted domain data and Chinese-language code strings).
## Detection Methods
- Signature-based detection: [Not provided in the context, but signatures based on specific file hashes or payload strings would be applicable if known.]
- Behavioral detection: Monitoring IIS server processes for modifications to HTTP response headers or content delivery logic; monitoring for unexpected JavaScript injections in served web pages.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Regularly update and patch IIS servers.
- Monitor for unauthorized IIS module installations.
- Restrict administrative access with strong passwords and Multi-Factor Authentication (MFA).
- Implement firewalls to filter suspicious network traffic.
- Continuously review IIS logs for signs of compromise.
- Disable unnecessary services on IIS servers to minimize the attack surface.
## Related Tools/Techniques
- Frebniis Malware (Mentioned in the article as related to IIS exploitation).