A sophisticated malware campaign targeting Internet Information Services (IIS) servers across Asia has been uncovered, primarily focusing on manipulating search engine optimization (SEO) through BadIIS malware installation. Security researchers from Trend Micro have identified this financially motivated operation, which redirects users to illegal gambling websites.

The campaign has affected IIS servers in multiple Asian countries, including India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, and Japan, as well as Brazil. Notable targets encompass government institutions, universities, technology firms, and telecommunications companies.

The threat actors, believed to be the Chinese-speaking group DragonRank, compromise servers to alter content delivery, redirecting users to gambling sites or malicious servers hosting malware and credential harvesting pages. This group has been previously linked to Group 9, known for similar SEO fraud activities.

Technical analysis reveals that the BadIIS malware operates in two modes: SEO fraud and malicious JavaScript injection. The malware monitors HTTP response headers, specifically targeting ‘User-Agent’ and ‘Referer’ fields to redirect users when specific search portal sites or keywords are detected.

In a related development, Silent Push has identified connections between these activities and the China-based Funnull CDN, which has been involved in “infrastructure laundering.” This operation involved renting IP addresses from major providers like AWS and Microsoft Azure to host criminal websites, with over 1,400 IPs identified and subsequently removed. However, new IPs continue to be acquired regularly through potentially fraudulent means.