The actors of the threat were observed on the orientation on the Internet information server (IIS) in Asia as part of a manipulation campaign to optimize search engines (SEO) intended for installing malware Badiis.
“It is likely that the company is financially motivated since the redirection of users to illegal gambling sites that indicate that attackers deploy Badiis for profit,” – Trend Micro Researchers Ted Lee and Lenart Bermejj – Note In an analysis published last week,
The goals of the company include IIS servers in India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan and Brazil. These servers are connected with government, universities, technology companies and telecommunications sectors.
Requests for compromised servers can be submitted by changed content from the attackers, ranging from redirect to gambling sites to connecting to rogue, which place malicious software or credentials.
Suspected that activity is the work of a Chinese group of threats known as Dragonwhich was recorded by Cisco Talos last year as providing malicious Badiis software through SEO manipulation schemes.
It is said that the company Dragonrank, in turn, is related to the subject called Group 9 According to ESET in 2021, it compromised IIS servers for proxy and SEO fraud.
Trend Micro, however, noted that the revealed malware artifacts have similarities to the option used by group 11, which presents two different modes for SEO fraud and the introduction of the suspicious JavaScript code in response to legal visitors’ requests.
“Installed Badiis can change the information about the HTTP headline requested from the web server,” the researchers said. “It checks the”-Agent user “and” referer “in the http header.”
“If these fields contain certain search portals or keywords, Badiis redirects the user to the online gambling page instead of the legitimate web page.”
Development occurs when Silent Push linked the Chinese content delivery network (CDN) with practice that calls infrastructure laundering, which actors threaten IP addresses from major hosting providers such as Amazon Web Services (AWS) and Microsoft Azure and use them Criminal sites.
It is said that the fun lease is over 1,200 IPS at Amazon and almost 200 IPS with Microsoft, which have been shot since. Malicious infrastructure called Triad NexusRetail phishing schemes, Romanesque scams and money laundering operations were found to be fuel through fake gambling.
“But new IPS is constantly purchased every few weeks”, the company – Note. “The rainbow probably uses fraudulent or stolen accounts to purchase these IPS to display your Cname.”
