Cybersecurity researchers are focusing on Vietnam in particular, and are turning their attention to search engine optimization (SEO) addiction campaigns that are likely undertaken by Chinese-speaking threat actors, using malware called BADIIS in attacks targeting East and Southeast Asia.
An activity called Operation Rewrite is tracked by Palo Alto Networks Unit 42 under Monica CL-Unk-1037. Here, “Cl” represents a cluster and “UNK” refers to an unknown motivation. Threat actors are known to share infrastructure and architecture overlap with entities called group 9 by ESET and Dragon Rank.
“To carry out SEO addiction, attackers manipulate search engine results to trick people into visiting unexpected or unnecessary websites (such as gambling and porn websites) for financial gain,” said security researcher Yoav Zemah. “In this attack, the malicious Native Internet Information Services (IIS) module was called BADIIS.”
BADIIS is designed to intercept and modify incoming HTTP web traffic with the ultimate goal of using a legal, infringing server to provide malicious content to site visitors. In other words, the idea is to direct traffic to the destination of your choice by manipulating search engine results and injecting keywords and phrases into legitimate websites with a good domain reputation.
The IIS module is equipped to flag visitors originating from a search engine crawler by inspecting user agent headers in HTTP requests, allowing search engines to index victim sites as a related result of the terminology in command and control (C2) server responses.
If your site is poisoned this way, all you need to do is search for those terms in a search engine, click on a legal but compromised site, and ultimately redirect to a scam site instead.
In at least one incident investigated by unit 42, the attacker is said to have leveraged access to the search engine crawler to pivot to other systems, create new local user accounts, establish persistent remote access, remove source code, and drop a web shell to upload BADIIS implants.
“The mechanism first builds the lure and then produces the trap,” Unit 42 said. “Lures are built by attackers who supply the manipulated content to search for engine crawlers. This ranks them in additional terms that compromised websites cannot connect to. A compromised web server acts as a reverse proxy.
Other tools deployed by threat actors in attacks include three different variations of the BADIIS module.
By proxying malicious content from a remote C2 server, a lightweight ASP.NET page handler that achieves the same goal of SEO addiction can inspect and modify all requests passing through the application, and inspect and modify any requests that can inject spam links and keywords from different C2 servers.
“The threat actors tailored all implants to their goals of manipulating search engine results and controlling the flow of traffic,” Unit 42 said. “We strongly appreciate that Chinese-speaking actors manipulate this activity based on direct language evidence and infrastructure and architectural links between this actor and the group 9 cluster.”
This disclosure was able to compromise on at least 65 Windows servers in Brazil, Thailand and Vietnam, a malicious IIS module called Gamshen to promote SEO scams a few weeks after ESET was called Ghostredirector, known as previously undocumented threat clusters.
Source link
