BadIIS Malware

Cybersecurity researchers have uncovered a sophisticated SEO poisoning campaign, believed to be carried out by a Chinese-speaking threat actor. The attacks primarily target East and Southeast Asia, with a particular focus on Vietnam. This campaign is associated with malware called BadIIS and is tracked under the name CL-UNK-1037. Notably, the threat actor shows infrastructure and architectural overlaps with entities identified as Group 9 and DragonRank.

How SEO Poisoning Works

SEO poisoning involves manipulating search engine results to trick users into visiting unexpected or malicious websites, such as gambling or adult content portals, for financial gain. In this campaign, the attackers exploit a native IIS module, BadIIS, to serve malicious content from legitimate but compromised servers.

BadIIS functions include:

• Intercepting and modifying incoming HTTP traffic.
• Injecting keywords and phrases into reputable websites to manipulate search engine rankings.
• Flagging visitors from search engine crawlers using the User-Agent header and fetching poisoned content from a Command-and-Control (C2) server.

This approach allows compromised websites to rank highly for targeted search terms, ultimately redirecting unsuspecting users to scam sites.

The Attack Lifecycle

The SEO poisoning attack follows a multi-step process:

Building the lure: Attackers feed manipulated content to search engine crawlers, making the compromised website appear relevant for unrelated search terms.

Springing the trap: Victims searching for those terms encounter legitimate-looking but compromised sites, which redirect them to malicious destinations.

In at least one known incident, attackers leveraged search engine crawler access to escalate attacks by creating new local accounts, deploying web shells, exfiltrating source code, and installing additional BadIIS implants for persistent remote access.

Tools and Variants Used

The threat actor employs multiple tools and variants to achieve SEO manipulation and traffic control:

• Lightweight ASP.NET page handler for proxying malicious content.
• Managed .NET IIS module for inspecting/modifying requests and injecting spam links/keywords.
• All-in-one PHP script combining user redirection and dynamic SEO poisoning.

All implants are customized to control search engine results and traffic flow, demonstrating a highly coordinated operation.

Attribution and Linguistic Evidence

Researchers have high confidence that this activity is operated by a Chinese-speaking threat actor. This conclusion is supported by:

• Direct linguistic evidence found in the malware and infrastructure.
• Architectural and operational links connecting the actor to the Group 9 cluster.

Operation Rewrite exemplifies how sophisticated threat actors are leveraging SEO poisoning, IIS vulnerabilities, and web server compromises to redirect traffic and conduct financially motivated attacks.