A large-scale cyberattack is targeting Microsoft Internet Information Services (IIS) servers to spread a dangerous malware called BadIIS. This malware is mainly used for search engine ranking fraud and injecting harmful content into websites.
### Who’s Behind the Attack?
The hacking group responsible, known as DragonRank, is believed to be Chinese-speaking. Their attack has already compromised over 35 IIS servers across Asia, Europe, and other regions, affecting industries like government, technology, telecommunications, and education.
### How BadIIS Works
BadIIS is an advanced malware that changes how infected IIS servers respond to web requests. It operates in two ways:
1. **Proxy Mode:** The malware redirects website traffic to boost the search rankings of attacker-controlled sites by abusing the credibility of compromised servers.
2. **Injector Mode:** It injects hidden JavaScript into legitimate web pages. This code can redirect users to fake websites designed for phishing or spreading more malware.
According to cybersecurity firm TrendMicro, BadIIS enables attackers to manipulate search engine rankings, insert unauthorized ads, distribute malware, and launch targeted cyberattacks.
### How the Attack Happens
The DragonRank hackers break into IIS servers by exploiting security flaws in web applications like WordPress and phpMyAdmin. They install web shells—malicious tools that give them remote access—such as ASPXSpy. From there, they deploy BadIIS and other malware like PlugX (a remote access trojan). They also use tools like Mimikatz to steal login credentials and move deeper into the network.
One script found in this attack loads malicious modules directly into IIS servers, giving the hackers full control.
### Who’s Being Targeted?
This campaign primarily affects countries in Asia, including India, Thailand, and Vietnam, but it has also spread to places like Brazil and South Korea. Victims include government agencies, universities, and private companies. The attackers often use infected servers in one country to launch attacks worldwide.
### The Goal: Making Money
This attack appears to be financially motivated. By redirecting users to illegal gambling websites and scam pages, hackers earn money while also boosting the search engine rankings of certain websites. This technique, known as “black hat SEO,” manipulates search results for financial gain.
### How to Protect Your IIS Servers
To defend against BadIIS and similar threats, organizations using IIS servers should take these precautions:
– **Keep Servers Updated:** Regularly install the latest security patches.
– **Strengthen Access Controls:** Use strong passwords and enable multi-factor authentication (MFA) for administrative access.
– **Monitor for Suspicious Activity:** Check IIS logs for unexpected changes or unusual traffic patterns.
– **Use Firewalls:** Restrict access to and from your servers to prevent unauthorized connections.
– **Secure Server Configurations:** Disable any unnecessary services and features to minimize attack risks.
### The Bigger Picture
The DragonRank attack highlights the growing threat to web servers worldwide. Organizations must take proactive security measures to prevent being exploited by cybercriminals. Failure to do so could result in financial loss, damage to reputation, and a loss of trust from users.
—
This version simplifies the technical details while keeping all the key information intact. Let me know if you’d like any further tweaks!
