A widespread campaign targeting Microsoft Internet Information Services (IIS) servers to deploy the BadIIS malware, a tool used for [search engine optimization (SEO)](https://cybersecuritynews.com/how-to-protect-your-website-and-maintain-search-engine-rankings/) fraud and malicious content injection.The campaign, attributed to the Chinese-speaking hacking group DragonRank, has affected over 35 IIS servers across Asia, Europe, and beyond, spanning industries such as government, technology, telecommunications, and academia.**The BadIIS Malware: A Technical Overview**——————————————–BadIIS is a sophisticated malware designed to manipulate HTTP responses from compromised IIS servers. It operates in two primary modes:**SEO Fraud Mode:** BadIIS alters HTTP headers by checking fields like User-Agent and Referer. If these fields indicate traffic from search engine crawlers (e.g., Google, Bing, Baidu), the malware redirects requests to illicit gambling websites or other fraudulent destinations.  Workflow of SEO fraud modeThis tactic boosts the ranking of attacker-controlled sites by exploiting the credibility of compromised servers.**Injector Mode:**In this mode, BadIIS injects obfuscated JavaScript into legitimate server responses. This malicious code redirects users to phishing sites or malware-hosting pages.  Workflow of injector mode’BadIIS targets Internet Information Services (IIS) and can be used for SEO fraud or to inject malicious content into the browsers of legitimate users. This includes displaying unauthorized ads, distributing malware, and even conducting watering hole attacks aimed at specific groups’, TrendMicro [said](https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manipulates-seo-with-badiis.html)**Attack Chain and Deployment**——————————-The DragonRank group exploits vulnerabilities in web applications like [WordPress](https://cybersecuritynews.com/tag-124-hacked-1000-wordpress-sites/) and phpMyAdmin to deploy web shells such as ASPXSpy.These shells act as conduits for installing BadIIS and other tools like PlugX, a remote access trojan (RAT). Attackers also use credential-harvesting utilities like Mimikatz and PrintNotifyPotato for lateral movement within networks.One observed installation script for BadIIS included batch commands to load malicious modules into IIS servers:  One of the scripts used for IIS module installationThe campaign has primarily targeted countries in Asia—India, Thailand, Vietnam—and extended its reach to regions like Brazil and South Korea. Victims include government agencies, universities, and private corporations. Notably, attackers often exploit servers in one region to target users globally.  Geographical distribution of targeted IIS serversThe campaign appears financially motivated. By redirecting users to illegal gambling websites or scam pages, attackers generate revenue while simultaneously boosting the SEO rankings of their clients’ websites.The malware’s ability to manipulate search engine algorithms highlights its utility in black hat SEO schemes.**Mitigation Strategies**————————-To protect against such threats, organizations using [IIS servers](https://cybersecuritynews.com/xctdoor-malware-attacking-iis-servers/) should adopt the following measures:* **Regular Patching:**Ensure all IIS servers are updated with the latest security patches.* **Access Controls:** Restrict administrative access using strong passwords and multi-factor authentication (MFA).* **Monitoring:** Continuously monitor IIS logs for anomalies such as unexpected module installations or unusual traffic patterns.* **Firewalls:** Deploy firewalls to control inbound and outbound traffic.* Secure Configurations: Disable unnecessary services and features on IIS servers.The DragonRank campaign underscores the importance of securing web servers against advanced threats like BadIIS.Organizations must proactively address vulnerabilities in their infrastructure to prevent exploitation by financially motivated threat actors. Failure to do so could result in reputational damage, legal liabilities, and loss of user trust.**PCI DSS 4.0 -& Supply Chain Attack Prevention — [Free Webinar](https://webinars.indusface.com/reducing-3rd-party-risks-pci-dss-and-supply-chain-attack-prevention/register?utm_source=gbhackers-side-banner&utm_campaign=2025-feb-webinar-pci-dss&utm_medium=referral)**The post [Hackers Compromising IIS Servers to Deploy BadIIS Malware](https://cybersecuritynews.com/badiis-malware-compromising-iis-servers/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 61 – Educational Services
NAICS: 611 – Educational Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
Associated Indicators: