Summary

Cyble Research Intelligence Lab (CRIL) came across a recent campaign observed by TrendMicro involving the BadIIS malware, which targeted vulnerable Internet Information Services (IIS) servers across Asia. This campaign impacted countries such as India, Thailand, Vietnam, and Japan, with some cases observed in Brazil and Bangladesh. Likely deployed by Chinese-speaking threat actors, BadIIS was used for SEO fraud, malicious content injection, redirecting users to illegal gambling sites, and conducting watering hole attacks.

Technical Details

Campaign targeting IIS servers to deliver malicious content and perform SEO manipulation. The attackers deploy BadIIS modules to redirect users to illegal gambling sites and malicious servers.

BadIIS Installation

The attackers used batch scripts to install the BadIIS module on targeted IIS servers after successfully exploiting them. One example of the script used for installation is shown below:

The BadIIS module modifies server behavior to enable its malicious functions.

SEO Manipulation and Fraud

The attackers leverage SEO fraud techniques to enhance the reach of malicious content. The BadIIS module alters the HTTP response headers when it detects traffic from search engine crawlers or specific keywords. It checks the “User-Agent” and “Referer” fields in the HTTP headers. If these fields match certain criteria, users are redirected to illegal gambling sites or other fraudulent pages instead of the intended legitimate content.

Keyword checking in the User-Agent field	Keyword checking in the Referer field
360	baidu.com
baidu	bing.com
bing	Coccoc
coccoc	daum.net
daum	google
google	naver.com
naver	so.com
sogou	sogou.com
yisou	sm.cn

Legitimate visitors receive injected JavaScript that redirects them to malicious websites. This allows attackers to manipulate search engine traffic for financial gain and improve the visibility of illegal sites.

OnSendResponse Handler

The new variant of BadIIS uses a handler called “OnSendResponse”, replacing the previously observed “OnBeginRequest” handler in older variants. This updated approach enhances its ability to alter response content and redirect traffic effectively.

Command-and-Control (C&C) Communication

The C&C server URL is encrypted using a simple XOR key (0x03) and decrypted at runtime. This obfuscation helps hide the control server's location from detection during static analysis. Once decrypted, the BadIIS module can communicate with the C&C server to receive further commands or updates.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Ensure that all IIS servers are regularly updated with the latest security patches to close vulnerabilities that attackers could exploit. This reduces the risk of server exploitation and minimizes potential entry points for malicious actors.

● Use Web Application Firewalls (WAFs) to filter and monitor HTTP traffic, blocking malicious requests and preventing unauthorized access. WAFs can also help detect and prevent suspicious behavior, such as unexpected redirects and injected scripts.

● Continuously monitor server logs and network traffic for unusual activity, such as unexpected redirections or modified HTTP headers. Early detection of anomalies can help identify compromised servers and mitigate the impact before it spreads

Conclusion

The BadIIS campaign is a sophisticated attack targeting IIS servers across multiple regions and industries. By leveraging SEO manipulation and HTTP response modification, attackers redirect users to illegal gambling sites and malicious content, exposing victims to significant risks. The use of obfuscation techniques and updated handlers like OnSendResponse highlights the evolving nature of this threat.