A recent investigation by Trend Micro researchers revealed a search engine optimization (SEO) manipulation campaign named BadIIS targeting users of Internet Information Services (IIS). This financially motivated campaign redirects victims to illegal gambling websites and has notably affected Asian countries such as India, Thailand, and Vietnam, with potential global repercussions. The study identified numerous indicators of compromise (IoCs), including various domains and IP addresses linked to the campaign. Affected: Internet Information Services (IIS), illegal gambling websites, Asian countries (India, Thailand, Vietnam)
Keypoints :
- Trend Micro discovered a SEO manipulation campaign (BadIIS) affecting IIS users.
- The campaign is financially motivated, redirecting users to illegal gambling sites.
- Initial impact observed in Asian countries, specifically India, Thailand, and Vietnam.
- 51 indicators of compromise (IoCs) identified, including 46 domains and 5 IP addresses.
- Additional research revealed further related artifacts such as email-connected domains and additional IP addresses.
- Out of 46 identified domains, only 38 had current WHOIS records.
- Domains were registered between 1996 and 2024 across various registrars.
- 5 IP addresses associated with the campaign are geolocated primarily in China and the U.S.
- Some domains linked to malicious activity through historical WHOIS records.
MITRE Techniques :
- Technique T1071.001 – Application Layer Protocol: The BadIIS campaign uses HTTP protocol to communicate with command and control servers.
- Technique T1496 – Application Layer Protocol: Malicious activities leverage application layer protocols for data exfiltration.
- Technique T1583 – Acquire Infrastructure: The attack involves acquiring infrastructures like domains and IPs for ongoing operation.
- Technique T1069 – Permission Group Discovery: Behavior indicative of scanning and identifying permission levels of domains connected to the campaign.
Indicator of Compromise :
- [Domain] badiis[.]com
- [Domain] gfqfoqz[.]cn
- [IP Address] 156[.]229[.]134[.]13
- [Domain] xxxx[.]com
- [Domain] 668823[.]com
Full Story: https://circleid.com/posts/a-dns-investigation-of-seo-manipulation-via-bad-seed-badiis