BadIIS Malware
A threat actor who communicates in simplified Chinese has been linked to a new campaign targeting countries across Asia and Europe. The campaign's goal is to manipulate search engine rankings through SEO tactics. This Black Hat SEO campaign, dubbed DragonRank by cybersecurity researchers, has impacted regions including Thailand, India, South Korea, Belgium, the Netherlands, and China.
DragonRank compromises Web application services to deploy Web shells, which are then used to gather system information and deliver malware like PlugX and BadIIS. These attacks have led to the compromise of 35 Internet Information Services (IIS) servers, ultimately aiming to install BadIIS malware, first identified in August 2021.
Table of Contents
Attackers Take Over Compromised IIS Servers
The malware is specifically designed to facilitate proxy ware and SEO fraud by converting the compromised IIS server into a relay point for fraudulent communications between threat actors and their victims. Additionally, it can alter the content served to search engines to manipulate algorithms and improve the rankings of websites targeted by the attackers.
One of the most striking findings of the investigation is the versatility of IIS malware, particularly in its use for SEO fraud. This malware is exploited to manipulate search engine algorithms, enhancing the visibility and reputation of third-party websites.
The most recent attacks uncovered by researchers cover a wide range of industries, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports and even feng shui.
Attack Chain Attributed to DragonRank
The attack begins by exploiting known vulnerabilities in Web applications such as phpMyAdmin and WordPress to deploy the open-source ASPXspy web shell. This Web shell then serves as a gateway for introducing additional tools into the target environment.
The main goal of the campaign is to compromise IIS servers hosting corporate websites. The attackers use these servers to install BadIIS malware, repurposing them as platforms for fraudulent activities, often involving keywords related to pornography and sex.
A notable feature of the malware is its ability to impersonate Google's search engine crawler in its User-Agent string when connecting to the Command-and-Control (C2) server. This tactic helps it evade some website security measures.
Threat Actors Engage in SEO Manipulation
The threat actor manipulates SEO by exploiting or altering search engine algorithms to boost a website's ranking in search results. This is done to drive traffic to fraudulent sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings.
DragonRank stands out from other Black Hat SEO groups due to its approach of breaching additional servers within the target's network. It maintains control over these servers using PlugX, a backdoor commonly used by Chinese threat actors, and various credential-harvesting tools like Mimikatz, PrintNotifyPotato, BadPotato and GodPotato.
Malicious Techniques and Online Presence
The PlugX malware used in these attacks employs DLL side-loading techniques. The loader DLL that initiates the encrypted payload utilizes the Windows Structured Exception Handling (SEH) mechanism to ensure the legitimate file (i.e., the binary prone to DLL side-loading) can load PlugX without triggering any security alerts.
Researchers have found evidence that the threat actor operates on Telegram under the handle 'tttseo' and on the QQ instant messaging app, where they conduct illegal business transactions with clients. They also provide what appears to be high-quality customer service, creating promotional strategies tailored to their clients' needs.
Clients can submit keywords and websites they want to promote, and DragonRank designs a strategy based on these specifications. The group also focuses on targeting promotions for specific countries and languages, offering a customized and thorough approach to online marketing.