BadIIS Malware Exploits IIS Servers for SEO Manipulation and Redirection
The Trend Micro article details a campaign by a Chinese-speaking group using malware called BadIIS to manipulate search engine optimization (SEO). The malware targets Internet Information Services (IIS) servers, altering HTTP responses to redirect users to illegal gambling sites or malicious servers1. This campaign has affected countries in Asia, including India, Thailand, and Vietnam, and could potentially impact other regions. The report emphasizes the need for organizations to update and patch their IIS servers to prevent such exploits1.
The adversary exploited vulnerable IIS servers to install BadIIS. This presents several opportunities for detection and hunting. Firstly, it is important to monitor for commands like iisreset /stop and iisreset /start, as these are used by the adversary to stop and start IIS services. Detecting such commands can be an early indicator of suspicious activity.
Another key method involves the abuse of AppCmd.exe by threat actors to install BadIIS. To counter this, it's essential to hunt for suspicious executions of AppCmd.exe with the install module parameter, as this can signal attempts to install malicious modules onto the server.
Furthermore, the adversary may try to modify the file attributes of BadIIS using the attrib command with parameters such as +a +s +r +i +h. Monitoring for unusual changes to file attributes can help identify malicious activities and enable timely intervention.
By focusing on these detection methods, organizations can better identify and mitigate the risks associated with BadIIS, enhancing their overall cybersecurity posture.