This article discusses an SEO manipulation campaign that targets Asia, primarily through the exploitation of Internet Information Services (IIS) using a malware called BadIIS. The campaign is financially motivated, redirecting users to illegal gambling sites and potentially exposing multiple sectors to threats. Recommendations for enterprises to secure their environments against such attacks are also provided. Affected: India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, Brazil, Bangladesh
Keypoints :
- Trend Micro researchers have identified an SEO manipulation campaign utilizing the BadIIS malware.
- The campaign exploits vulnerabilities in Internet Information Services (IIS) to install malware and redirect users.
- Users may be directed to illegal gambling sites or malicious servers hosting harmful content.
- Regions affected include various Asian countries and Brazil, indicating a potential widespread impact.
- The malware can alter HTTP responses based on specific User-Agent and Referer fields.
- Best practices for IIS security involve regular software updates, monitoring, and restricting administrative access.
MITRE Techniques :
- TA0040: **Impact** – The campaign leads to financial gain for threat actors through redirections to illegal websites.
- T1071.001: **Application Layer Protocol: Web Protocols** – BadIIS uses HTTP/HTTPS to communicate with compromised servers and deliver malicious content.
- T1070.003: **Indicator Removal on Host: File and Directory Permissions Modification** – Attackers might modify permissions to prevent detection.
- T1086: **PowerShell** – Batch files are used to execute commands for the installation of BadIIS modules.
- T1203: **Exploitation for Client Execution** – Exploitation of vulnerabilities in IIS enables the installation of BadIIS on targeted servers.
Indicator of Compromise :
- No IoCs Found
Full Story: https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manipulates-seo-with-badiis.html