DragonRank SEO Attack
Threat actors have been observed targeting the Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign. The attackers use this scheme to deploy BadIIS, a threat designed to alter Web traffic and redirect users to illicit destinations.
Table of Contents
Financially Motivated Redirects to Illegal Gambling Sites
The campaign appears to be profit-driven, as compromised servers funnel unsuspecting users toward illegal gambling websites. The affected IIS servers are linked to various institutions, including government agencies, universities, technology firms and telecommunications providers. The impacted regions include India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, Japan and even Brazil.
Manipulated Traffic and Threatening Redirections
Once a server is compromised, it may serve altered content to incoming visitors. The attackers use this control to implement redirections to gambling sites or to connect victims to rogue infrastructure hosting unsafe software or credential-harvesting pages. This technique allows cybercriminals to exploit legitimate web traffic for financial gain or further cyberattacks.
The DragonRank Connection
Researchers attribute this activity to a Chinese-speaking threat group known as DragonRank. Previously documented as leveraging SEO manipulation strategies, DragonRank has been linked to the deployment of BadIIS malware. Evidence suggests that this group evolved from an earlier threat actor, known in cybersecurity circles as Group 9, which has been exploiting IIS servers for proxy services and SEO fraud since 2021.
Overlapping Tactics with Group 11
Interestingly, recent investigations reveal that the detected malware artifacts bear similarities to a variant associated with another entity, Group 11. This version of BadIIS includes dual functionalities: one mode focuses on SEO fraud, while the other injects suspicious JavaScript code into Web responses to manipulate visitor traffic.
How BadIIS Redirects Victims
BadIIS can intercept and modify HTTP response headers from the compromised IIS servers. Specifically, it examines the 'User-Agent' and 'Referer' fields within incoming HTTP requests. If these fields contain search portal sites or targeted keywords, the malware reroutes users to an unauthorized gambling website instead of the expected legitimate page. This targeted redirection allows attackers to exploit organic search traffic for their own benefit.
