Cybersecurity experts have recently identified a sophisticated search engine optimization (SEO) poisoning campaign, dubbed Operation Rewrite, orchestrated by a Chinese-speaking threat actor. This campaign leverages a malicious Internet Information Services (IIS) module known as BadIIS to compromise web servers, particularly targeting regions in East and Southeast Asia, with a notable focus on Vietnam.
Palo Alto Networks’ Unit 42 has been monitoring this activity under the identifier CL-UNK-1037, where CL denotes a cluster and UNK signifies unknown motivation. The infrastructure and tactics employed in this campaign exhibit significant overlaps with entities previously identified as Group 9 by ESET and DragonRank.
Understanding SEO Poisoning and BadIIS
SEO poisoning involves the manipulation of search engine results to deceive users into visiting unintended or malicious websites, such as those promoting gambling or adult content, for financial gain. In this campaign, the attackers utilize BadIIS, a malicious IIS module, to intercept and modify incoming HTTP web traffic. By injecting specific keywords and phrases into legitimate websites with strong domain reputations, they aim to manipulate search engine algorithms. This tactic ensures that compromised sites appear prominently in search results for targeted terms.
BadIIS is adept at identifying visits from search engine crawlers by analyzing the User-Agent header in HTTP requests. Upon detection, it contacts an external command-and-control (C2) server to retrieve and serve manipulated content. This process causes search engines to index the compromised site as relevant for the injected terms. Consequently, when users search for these terms, they are directed to the legitimate yet compromised site, which then redirects them to malicious destinations.
Mechanics of the Attack
The attack unfolds in two primary stages:
1. Lure Creation: Attackers feed manipulated content to search engine crawlers, causing the compromised website to rank for additional, unrelated terms.
2. Trap Execution: Unsuspecting users searching for these terms encounter the compromised site in search results. Upon visiting, they are redirected to malicious sites, often related to gambling or adult content.
In one documented incident, Unit 42 observed attackers leveraging their access to a search engine crawler to pivot to other systems within the network. They created new local user accounts and deployed web shells, facilitating persistent remote access. This access enabled them to exfiltrate source code and upload additional BadIIS implants, further entrenching their presence.
Variants of BadIIS Modules
The threat actors have developed multiple variants of the BadIIS module to achieve their objectives:
– ASP.NET Page Handler: A lightweight handler that proxies malicious content from a remote C2 server, facilitating SEO poisoning.
– Managed .NET IIS Module: This module inspects and modifies every request passing through the application, injecting spam links and keywords from a different C2 server.
– All-in-One PHP Script: Combines user redirection and dynamic SEO poisoning functionalities, streamlining the attack process.
These tailored implants underscore the attackers’ focus on manipulating search engine results and controlling web traffic flow.
Attribution and Broader Context
Unit 42’s analysis indicates with high confidence that a Chinese-speaking actor is behind this campaign. This assessment is based on linguistic evidence and infrastructural similarities with the Group 9 cluster.
This revelation follows closely on the heels of ESET’s disclosure of a previously undocumented threat cluster named GhostRedirector. This cluster compromised at least 65 Windows servers, primarily in Brazil, Thailand, and Vietnam, using a malicious IIS module called Gamshen to facilitate SEO fraud.
Implications and Recommendations
The emergence of campaigns like Operation Rewrite highlights the evolving tactics of cyber adversaries who exploit SEO mechanisms to propagate malware and achieve financial gains. Organizations, especially those operating IIS servers, must remain vigilant. Implementing robust security measures, regularly updating software, and monitoring for unusual web traffic patterns are crucial steps in mitigating such threats.
By understanding the methodologies employed in SEO poisoning campaigns and the functionalities of malware like BadIIS, organizations can better defend against these insidious attacks and protect their digital assets.
