Cybersecurity researchers are calling consideration to a SEO (search engine marketing) poisoning marketing campaign seemingly undertaken by a Chinese language-speaking risk actor utilizing a malware known as BadIIS in assaults concentrating on East and Southeast Asia, significantly with a concentrate on Vietnam.
The exercise, dubbed Operation Rewrite, is being tracked by Palo Alto Networks Unit 42 beneath the moniker CL-UNK-1037, the place “CL” stands for cluster and “UNK” refers to unknown motivation. The risk actor has been discovered to share infrastructure and architectural overlaps with an entity known as Group 9 by ESET and DragonRank.
“To carry out search engine marketing poisoning, attackers manipulate search engine outcomes to trick folks into visiting surprising or undesirable web sites (e.g., playing and porn web sites) for monetary acquire,” safety researcher Yoav Zemah stated. “This assault used a malicious native Web Info Companies (IIS) module known as BadIIS.”
BadIIS is designed to intercept and modify incoming HTTP internet visitors with the tip objective of serving malicious content material to web site guests utilizing authentic compromised servers. In different phrases, the thought is to govern search engine outcomes to direct visitors to a vacation spot of their selecting by injecting key phrases and phrases into authentic web sites carrying a very good area popularity.
The IIS module is supplied to flag guests originating from search engine crawlers by inspecting the Person-Agent header within the HTTP request, permitting it to contact an exterior server to fetch the poisoned content material to change the search engine marketing and trigger the search engine to index the sufferer web site as a related outcome for the phrases discovered within the command-and-control (C2) server response.
As soon as the websites have been poisoned on this method, all it takes to finish the scheme is ensnaring victims who seek for these phrases in a search engine and find yourself clicking on the legitimate-but-compromised web site, in the end redirecting them to a rip-off web site as a substitute.
In no less than one incident investigated by Unit 42, the attackers are stated to have leveraged their entry to a search engine crawler to pivot to different methods, create new native consumer accounts, and drop internet shells for establishing persistent distant entry, exfiltrating supply code, and importing BadIIS implants.
“The mechanism first builds a lure after which springs the lure,” Unit 42 stated. “The lure is constructed by attackers feeding manipulated content material to look engine crawlers. This makes the compromised web site rank for extra phrases to which it might in any other case haven’t any connection. The compromised internet server then acts as a reverse proxy — an middleman server getting content material from different servers and presenting it as its personal.”
Among the different instruments deployed by the risk actors of their assaults embody three completely different variants of BadIIS modules –
- A light-weight ASP.NET web page handler that achieves the identical objective of search engine marketing poisoning by proxying malicious content material from a distant C2 server
- A managed .NET IIS module that may examine and modify each request that passes by way of the appliance to inject spam hyperlinks and key phrases from a distinct C2 server, and
- An all-in-one PHP script that mixes consumer redirection and dynamic search engine marketing poisoning
“The risk actor tailor-made all of the implants to the objective of manipulating search engine outcomes and controlling the circulate of visitors,” Unit 42 stated. “We assess with excessive confidence {that a} Chinese language-speaking actor is working this exercise, based mostly on direct linguistic proof, in addition to infrastructure and structure hyperlinks between this actor and the Group 9 cluster.”
The disclosure comes weeks after ESET detailed a beforehand undocumented risk cluster dubbed GhostRedirector that has managed to compromise no less than 65 Home windows servers primarily positioned in Brazil, Thailand, and Vietnam with a malicious IIS module codenamed Gamshen to facilitate search engine marketing fraud.
