Cybercriminals are actively exploiting Microsoft Internet Information Services (IIS) servers across Asia as part of a sophisticated search engine optimization (SEO) fraud campaign. The attackers deploy BadIIS malware to hijack web traffic, redirect users to illegal gambling websites, and manipulate search engine rankings for profit.
According to Trend Micro researchers Ted Lee and Lenart Bermejo, the campaign is financially motivated, leveraging compromised IIS servers to generate revenue through deceptive redirections.
Geographic Targets and Affected Sectors
The BadIIS malware campaign primarily affects IIS servers in the following countries:
India
Thailand
Vietnam
Philippines
Singapore
Taiwan
South Korea
Japan
Brazil
These attacks specifically target servers belonging to government agencies, universities, technology firms, and telecommunications providers. Once compromised, these servers deliver altered content, including gambling site redirects and links to malicious domains hosting malware or credential harvesting pages.
DragonRank's Connection to BadIIS Attacks
Cybersecurity experts attribute this activity to DragonRank, a Chinese-speaking threat group previously identified by Cisco Talos. DragonRank is known for deploying BadIIS malware as part of an SEO manipulation strategy.
Additionally, researchers from ESET have linked this campaign to Group 9, which has historically leveraged compromised IIS servers for proxy services and fraudulent SEO tactics.
SEO Fraud and JavaScript Injection
Trend Micro's investigation found that the BadIIS malware operates in two primary modes:
SEO Fraud Mode – Manipulates search engine rankings by injecting malicious content.
JavaScript Injection Mode – Alters HTTP response headers to deliver malicious JavaScript to legitimate visitors.
The malware checks the 'User-Agent' and 'Referer' fields in HTTP headers. If these fields contain specific search portal sites or keywords, BadIIS redirects users to illegal gambling sites instead of legitimate web pages.
Infrastructure Laundering via Funnull CDN
In a related discovery, cybersecurity firm Silent Push has linked the China-based Funnull Content Delivery Network (CDN) to an emerging tactic known as infrastructure laundering. This technique allows cybercriminals to rent IP addresses from major cloud providers such as:
Amazon Web Services (AWS) – Over 1,200 rented IPs
Microsoft Azure – Nearly 200 rented IPs
These IPs, now taken down, were part of a malicious infrastructure called Triad Nexus, which facilitated:
Retail phishing schemes
Romance baiting scams
Money laundering through fake gambling sites
Despite law enforcement interventions, Funnull continues to acquire new IPs every few weeks, often using fraudulent or stolen accounts to bypass security measures and remap CNAME records.
Conclusion: A Growing Threat to Web Security
The DragonRank BadIIS malware campaign highlights the increasing sophistication of cyber threats targeting IIS servers. By hijacking legitimate web traffic for SEO fraud and illegal gambling redirects, these attacks pose significant risks to enterprises, governments, and educational institutions.
Security professionals must remain vigilant, implement robust server hardening measures, and leverage advanced threat detection to mitigate these risks.
Stay Updated on Cyber Threats!
Follow us for the latest cybersecurity news and analysis.