Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services (IIS) servers by threat actors deploying the BadIIS malware.

This campaign, attributed to Chinese-speaking groups, leverages IIS vulnerabilities to manipulate search engine optimization (SEO) rankings and distribute malicious content.

The attackers have targeted organizations across Asia, including India, Thailand, and Vietnam, with potential spillover to other regions.

The primary objective of these cybercriminals is financial gain through SEO fraud and redirecting users to illegal gambling websites or malicious servers.

By compromising IIS servers, they inject malware that alters HTTP responses, enabling them to manipulate web content and serve unauthorized ads or phishing schemes.

This tactic not only jeopardizes the integrity of legitimate web services but also exposes users to significant cybersecurity risks.

Technical Exploitation and Victimology

The BadIIS malware operates by exploiting unpatched IIS servers. Once installed, it functions in two primary modes:

1. SEO Fraud Mode: The malware intercepts HTTP headers to identify traffic from search engines and redirects users to fraudulent gambling sites instead of legitimate pages.
2. Injector Mode: It embeds obfuscated JavaScript into HTTP responses, redirecting unsuspecting users to attacker-controlled domains hosting malware or phishing schemes.

The campaign has impacted a variety of sectors, including government institutions, universities, technology companies, and telecommunications providers.

Notably, the geographical distribution of victims extends beyond the physical location of compromised servers, affecting users who access these infected systems from other regions.

Indicators of a Coordinated Attack

Trend Micro analysis of the malware samples reveals distinct characteristics linking them to Chinese-speaking threat actors.

These include domain names and code patterns written in simplified Chinese.

The attackers also employ batch scripts for automated installation of malicious IIS modules, ensuring persistence on compromised systems.

This campaign is part of a broader trend of IIS-targeted attacks observed over the years.

IIS servers are particularly attractive to cybercriminals due to their modular architecture, which allows for easy integration and abuse of additional functionalities.

Organizations using IIS servers are urged to adopt proactive security measures to defend against such threats:

• Regularly update and patch IIS servers to close known vulnerabilities.
• Monitor for unusual activity, such as unexpected module installations or changes in server behavior.
• Restrict administrative access using strong passwords and multi-factor authentication.
• Employ firewalls to control network traffic and reduce exposure.
• Conduct continuous log analysis to detect anomalies indicative of malware activity.

The ongoing exploitation of IIS servers underscores the importance of robust cybersecurity practices.

As attackers continue to innovate their methods, organizations must remain vigilant and prioritize securing their web infrastructure against emerging threats like BadIIS.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free