Threat actors have been observed targeting Asian Internet Information Services (IIS) servers as part of a search engine optimization (SEO) operation campaign designed to install BADIIS malware.
“It is likely that the campaign is financially motivated, as redirecting users to illegal gambling websites indicates that attackers will deploy BADII for profit.”
The campaign’s goals include IIS servers in India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, Korea, Japan and Brazil. These servers are associated with governments, universities, technology companies, and the communications sector.
Requests to compromised servers can provide modified content from attackers, from redirects to gambling sites, to malicious servers or credential harvesting pages hosting malware.
The activity is suspected to be the work of a Chinese-speaking threat group known as DragonRank. This was recorded last year by Cisco Talos when Badiis malware was delivered via SEO operation schemes.
Secondly, the DragonRank campaign is said to have ESET associated with an entity called Group 9 in 2021, breaching proxy services and IIS servers for SEO scams.
However, Trend Micro uses group 11, which features two different modes for detecting malware artifacts to carry out SEO scams and inject suspicious JavaScript code in response to requests from legitimate visitors. I noted that they share similarities with the variant.
“A BADII installed may change the HTTP response header information requested by the web server,” the researchers said. Check the User Agent and Reference fields of the received HTTP header. ”
“If these fields contain a specific search portal site or keyword, BADIIS will redirect users to pages associated with illegal online gambling sites, not legitimate web pages.”
The development involves a silent push linked to a practice that calls the China-based Funnull Content Delivery Network (CDN) infrastructure laundering. This threat actor rents IP addresses from mainstream hosting providers such as Amazon Web Services (AWS), Microsoft Azure and usage. They host criminal websites.
Funnull is said to have rented over 1,200 IPs from Amazon and approximately 200 IPs from Microsoft. All of these have been removed. A malicious infrastructure called Triad Nexus has been found to refuel retail phishing schemes, romance bait scams and money laundering operations through fake gambling sites.
“But new IPs are continuously acquired every few weeks,” the company said. “Funnull may use fraudulent or stolen accounts to retrieve these IPs and map them to CNAME.”
Source link
