Operation Rewrite is an SEO poisoning campaign using BadIIS native IIS modules and variants (ASP.NET handler, managed .NET module, PHP script) to serve SEO-optimized content to crawlers and proxy victims to scam sites, with targeting focused on East and Southeast Asia—notably Vietnam. Infrastructure and linguistic artifacts link the cluster CL-UNK-1037 to Chinese-speaking actors and show overlaps with Group 9 and similarities to DragonRank. #BadIIS #CL-UNK-1037 #Group9 #DragonRank
Keypoints
- Operation Rewrite (CL-UNK-1037) is an SEO poisoning campaign using malicious IIS modules named BadIIS and related lightweight variants to manipulate search engine indexing and redirect users to scam content.
- The implants intercept HTTP requests (User-Agent and Referer) to serve SEO-optimized HTML to crawlers and proxy or redirect human visitors to attacker-controlled sites.
- Configuration and payloads show a geographic focus on East and Southeast Asia, with specific targeting of Vietnamese search engines and queries.
- Investigation found multiple variants: native IIS modules, an ASP.NET page handler, a managed .NET IIS module, and an all-in-one PHP front-controller, broadening the actor’s toolkit.
- Artifacts such as the chongxiede class name (Pinyin for “rewrite”) and Chinese comments point to a Chinese-speaking threat actor; infrastructure overlaps tie the cluster to Group 9 and show similarities with DragonRank.
- Attackers used web shells, scheduled tasks, and created local accounts to pivot across networks, exfiltrated web application source code via web-accessible ZIPs, and registered malicious DLLs as IIS modules.
- The report lists numerous C2 URLs, domain clusters (008php, yyphw, 300bt families), and many BadIIS-related SHA256 hashes for detection and response.
MITRE Techniques
- [T1505] Server Software Component – Malicious native IIS modules (BadIIS) and managed/IIS variants were registered as server components via RegisterModule to intercept and modify web traffic. Quote: ‘exports the RegisterModule function… Registers handlers for OnBeginRequest and OnSendResponse’
- [T1190] Exploit Public-Facing Application – Attackers gained access to web servers and deployed web shells and implants to compromise legitimate sites used for SEO poisoning. Quote: ‘attackers gained access to a web server… Deployed additional web shells on each compromised web server’
- [T1105] Ingress Tool Transfer – Attackers uploaded DLLs and other payloads (BadIIS implants, ASPX/PHP handlers) to compromised web servers and registered them for execution. Quote: ‘uploaded several new DLLs to the compromised web servers, silently registering them as IIS modules’
- [T1560] Archive Collected Data – The attackers compressed web application source code into ZIP archives and moved them to web-accessible paths to exfiltrate over HTTP. Quote: ‘compress the entire web application source code directory into ZIP archives… moved the archives into web-accessible paths’
- [T1036] Masquerading – Compromised legitimate, high-reputation websites were used to serve malicious content and poisoning pages to search engine crawlers, disguising attacker content as site-native. Quote: ‘compromise established, legitimate websites that already have a good domain reputation’
- [T1176] Browser Bookmark Discovery / SEO Poisoning (behavioral) – The implant serves crawler-only SEO content and redirects human visitors to scam sites, manipulating search engine indexes. Quote: ‘serves this malicious HTML to the search engine crawler… victim… is immediately sent to the attacker-controlled scam content’
Indicators of Compromise
- [File Hashes] BadIIS implants – examples: 01a616e25f1ac661a7a9c244fd31736188ceb5fce8c1a5738e807fdbef70fd60, bc3bba91572379e81919b9e4d2cbe3b0aa658a97af116e2385b99b610c22c08c (and many more hashes)
- [File Hashes] Variant handlers – ASPX handler: b056197f093cd036fa509609d80ece307864806f52ab962901939b45718c18a8; Managed IIS module: 2af61e5acc4ca390d3bd43bc649ab30951ed7b4e36d58a05f5003d92fde5e9a7
- [File Hashes] PHP handler – example: 36bf18c3edd773072d412f4681fb25b1512d0d8a00aac36514cd6c48d80be71b
- [Domains/URLs] C2 domains and URLs – examples: hxxp://404.008php[.]com/zz/u.php, hxxp://103.6.235[.]26/xvn.html, hxxps://sl.008php[.]com/kt.html (and multiple other C2 URLs listed)
- [IP Addresses] C2 IPs – examples: 103.6.235[.]26, 103.6.235[.]78 (also 160.30.173[.]87, 103.248.20[.]197)
- [File/Component Names] Internal class/object names – example: chongxiede (Pinyin for 重写, “rewrite”) used in module code, indicating linguistic artifact and pivot for discovery
Read more: https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/