Threat Research

BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign — Elastic Security Labs

Elastic.co
BADIIS to the Bone: New Insights to a Global SEO Poisoning Campaign — Elastic Security Labs

Elastic Security Labs observed a large-scale, coordinated SEO poisoning campaign (REF4033) that has compromised over 1,800 Windows IIS servers worldwide by deploying a malicious IIS module called BADIIS to inject SEO backlinks and redirect users to illicit gambling and cryptocurrency phishing sites. The intrusion chain included a webshell, rapid escalation to create an administrative account and a persistent WalletServiceInfo Windows service that loads a ServiceDLL to install BADIIS modules and modify IIS configuration. #BADIIS #REF4033

Keypoints

  • REF4033 (attributed to a Chinese-speaking actor cluster) has compromised more than 1,800 Windows IIS servers globally by deploying the BADIIS malicious IIS module to monetize high-reputation websites.
  • The campaign uses a two-phase SEO poisoning workflow: serve keyword-stuffed HTML to search engine crawlers, then redirect human visitors to gambling, pornography, and cryptocurrency phishing sites (e.g., a fraudulent Upbit clone).
  • Elastic observed a rapid post-compromise timeline where attackers used a webshell for discovery, created a local administrative account, and installed a WalletServiceInfo Windows service that loads an unsigned ServiceDLL (CbsMsgApi.dll) to deploy BADIIS.
  • BADIIS installs as native IIS modules (WsmRes32.dll / WsmRes64.dll) disguised as drivers in System32 and alters DefaultAppPool configuration to load into the request pipeline, enabling targeted content injection and redirection based on User-Agent, Referer, and region.
  • The modules download encrypted configuration and SEO resources from country-specific configuration servers (e.g., kr.gotz003[.]com, vn.gotz003[.]com), decrypt them (SM4/AES-128 ECB), and inject backlinks or full-page replacements to manipulate search rankings and funnel traffic.
  • The infrastructure shows long-running, evolving clusters (gotz003/jbtz003/gotz001/jbtz001 and legacy tz123/tz789 domains), heavy APAC focus (China and Vietnam ~82% of victims), and diverse victim types including governments, education, and cloud-hosted servers.

MITRE Techniques

  • [T1505] Server Software Component – The adversary installed a malicious IIS module (BADIIS) into the web server request pipeline to hijack and monetize traffic; ‘…the malicious IIS module that integrates directly into a web server’s request processing pipeline…’
  • [T1505.003] Web Shell – Initial discovery and enumeration were performed via a webshell running under the IIS worker process (w3wp.exe); ‘…initial enumeration was performed via a webshell running under the IIS worker process (w3wp.exe).’
  • [T1105] Ingress Tool Transfer – The modules and SEO resources were retrieved from remote configuration URLs and static .txt files hosted on actor-controlled domains; ‘…the module downloads content from URLs defined in its configuration.”
  • [T1136.001] Create Account: Local Account – The actor created a new user account and added it to the Administrators group as part of post-compromise access escalation; ‘…created a new user account.”
  • [T1543.003] Create or Modify System Process: Windows Service – The intruder created the WalletServiceInfo Windows service that configures and loads a ServiceDLL (CbsMsgApi.dll) under svchost.exe for persistence; ‘…creates a Windows service, WalletServiceinfo, which configures a ServiceDLL (CbsMsgApi.dll) that runs under svchost.exe…’
  • [T1036] Masquerading – Malicious components were staged using filenames and locations resembling legitimate system drivers (e.g., under System32drivers) to evade detection; ‘…staging three files masquerading within the System32drivers folder…’
  • [T1027] Obfuscated Files or Information – Most BADIIS samples employ VMProtect to hinder static and dynamic analysis, forcing use of non-protected older samples for analysis; ‘…most of these samples employ VMProtect, a commercial code-obfuscation framework…’
  • [T1574] Hijack Execution Flow – The malware altered IIS configuration (DefaultAppPool config) to load the BADIIS modules into request processing, effectively hijacking normal web request handling for injection and redirection; ‘…alters the IIS configuration to load them into the request pipeline of the DefaultAppPool.’

Indicators of Compromise

  • [SHA-256 ] Malicious samples and components – 055bdcaa0b69a1e205c931547ef863531e9fdfdaac93aaea29fb701c7b468294 (CbsMsgApi.exe), 2340f152e8cb4cc7d5d15f384517d756a098283aef239f8cbfe3d91f8722800a (CbsMsgApi.dll)
  • [Domain ] Configuration and content servers used by BADIIS – gotz003[.]com (primary config server), jbtz003[.]com (legacy config server)
  • [Domain/URLs ] SEO content/backlinks and config endpoints – kr.gotz003[.]com/krfml/krfmlip.txt (region-specific config file), http://kr.gotz001[.]com/lunlian/index.php (backlinks/SEO content server)
  • [File names/paths ] Loader, ServiceDLL, and masqueraded modules – CbsMsgApi.exe (loader), CbsMsgApi.dll (ServiceDLL), C:WindowsSystem32driversWppRecorderrt.sys and WppRecorderpo.sys (masqueraded BADIIS modules)

Read more: https://www.elastic.co/security-labs/badiis-to-the-bone-new-insights-to-global-seo-poisoning-campaign