Full Report
Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware. "It is likely that the campaign is financially motivated since redirecting users to illegal gambling websites shows that attackers deploy BadIIS for profit," Trend Micro researchers Ted Lee and
Analysis Summary
# Tool/Technique: BadIIS Malware (DragonRank Campaign)
## Overview
BadIIS is a malware variant used primarily for Search Engine Optimization (SEO) manipulation and redirecting legitimate web traffic from compromised Internet Information Services (IIS) servers to illegal gambling websites for financial gain. This technique is often deployed by threat actors like DragonRank.
## Technical Details
- Type: Malware family
- Platform: Windows/IIS Servers
- Capabilities: Modifies HTTP responses, redirects visitors based on HTTP header analysis (User-Agent, Referer), injects malicious JavaScript.
- First Seen: Associated with DragonRank activity documented in 2023/2024; related activity noted as early as 2021 (Group 9).
## MITRE ATT&CK Mapping
This activity primarily focuses on affecting the availability and integrity of the web service for malicious redirection purposes.
- **TA0011 - Command and Control** (Implied C2 communication for potential updates/exfiltration, though not detailed)
- **TA0003 - Persistence** (Maintaining access via web server compromise)
- **TA0005 - Defense Evasion** (By inspecting requests before acting)
- **TA0004 - Privilege Escalation** (Implied initial access mechanism resulting in server control)
- **TA0007 - Discovery** (Implied discovery of target user agents/referrers)
Specific techniques likely include:
- **T1190 - Exploit Public-Facing Application** (Initial compromise vector against IIS)
- **T1564.003 - Modify or Replace Files or Information** (Modifying server responses/configurations)
- **T1057.001 - Process Discovery: Process Scanning** (Potentially scanning for certain processes, TBD)
## Functionality
### Core Capabilities
- **SEO Fraud:** Manipulating search engine results pages (SERPs) by injecting unauthorized content into legitimate website responses.
- **HTTP Response Modification:** The malware alters the specific HTTP response header information requested from the web server.
- **Conditional Redirection:** Checks the `User-Agent` and `Referer` fields in the HTTP request headers. If these fields match specific search portal sites or keywords, the user is redirected to an online illegal gambling site.
- **JavaScript Injection:** Injects suspicious JavaScript code into responses for requests coming from legitimate visitors.
### Advanced Features
- **Targeted Compromise:** Focuses on highly critical IIS servers belonging to government, university, technology, and telecommunications sectors across Asia (India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan) and Brazil.
- **Association with Known Groups:** Directly linked to the DragonRank threat group, which was previously documented by Cisco Talos, and potentially linked to "Group 9" activity.
## Indicators of Compromise
*Note: Specific IOCs were not provided in the text excerpt.*
- File Hashes: [Not Provided]
- File Names: BadIIS
- Registry Keys: [Not Provided]
- Network Indicators: Redirection to illegal gambling sites.
- Behavioral Indicators: Altering HTTP responses based on User-Agent/Referer inspection; serving altered content (gambling redirects, malware hosting).
## Associated Threat Actors
- DragonRank (Chinese-speaking threat group)
- Group 9 (ESET designation, associated with prior IIS compromise for SEO fraud)
- Group 11 (Similar malware artifacts noted by Trend Micro)
## Detection Methods
- Signature-based detection: Targeting known file hashes or malicious file names associated with BadIIS.
- Behavioral detection: Monitoring IIS process behavior for unauthorized modification of HTTP response headers or suspicious redirection logic based on HTTP headers.
- YARA rules: [Not Provided]
## Mitigation Strategies
- **Patch Management:** Ensure all IIS servers are fully patched to prevent initial exploitation (T1190).
- **Web Application Firewall (WAF):** Implement WAF rules to detect and block abnormal HTTP response modifications or redirects lacking justification.
- **Principle of Least Privilege:** Restrict the permissions of the web application process to limit write/modification capabilities across critical system files.
- **Traffic Monitoring:** Monitor outbound traffic for suspicious redirects to known gambling domains or unexpected content being served to legitimate users.
## Related Tools/Techniques
- SEO Manipulation Schemes (General category)
- Compromised IIS Servers used as Proxy Services (Associated capability/goal)