Table of contents
- A new cyber threat targeting IIS servers
- Attack targets: governments, universities, and tech companies
- DragonRank’s role in spreading BadIIS
- The infrastructure behind the attack: Funnull and Triad Nexus
- Conclusion: a growing cyber security crisis
A new cyber threat targeting IIS servers
A group of cybercriminals has been targeting Internet Information Services (IIS) servers across Asia, exploiting them in a massive search engine optimization (SEO) fraud campaign. The malware in question, known as BadIIS, allows attackers to redirect user traffic to illegal gambling websites, generating illicit profits.
According to a report by Trend Micro security researchers, the campaign is financially motivated, leveraging organic search traffic to funnel users into fraudulent platforms.
Attack targets: governments, universities, and tech companies
The compromised IIS servers are primarily located in India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. Affected entities include government institutions, universities, technology companies, and telecom providers, making this attack particularly concerning for critical infrastructure security.
Once compromised, the servers modify HTTP responses, redirecting users to fraudulent sites, credential harvesting pages, or attacker-controlled servers. This allows the hackers to manipulate web traffic for illicit purposes.
DragonRank’s role in spreading BadIIS
Security analyses attribute this campaign to the DragonRank group, a Chinese cybercriminal entity identified by Cisco Talos in 2024.
This group employs sophisticated methods to inject malicious code into IIS servers, enabling SEO fraud and gambling site redirections.
The BadIIS malware can analyze incoming HTTP requests, checking details like User-Agent and Referer. If it detects specific search engine-related terms, it redirects users to fraudulent sites instead of their intended destinations.
The infrastructure behind the attack: Funnull and Triad Nexus
DragonRank’s campaign is also linked to a broader cybercriminal network operated via the Funnull CDN, a content delivery network (CDN) based in China.
According to Silent Push, Funnull rents IP addresses from legitimate providers like Amazon Web Services (AWS) and Microsoft Azure to host malicious websites. This method, known as infrastructure laundering, helps hackers evade detection.
Data reveals that Funnull has leased over 1,200 IP addresses from Amazon and nearly 200 from Microsoft, using them for phishing schemes, romance scams, and money laundering through fake gambling sites.
While many of these IPs have been taken down, new ones are continuously acquired, making mitigation efforts highly challenging.
Conclusion: a growing cyber security crisis
The DragonRank campaign highlights the rising threat posed by compromised IIS servers. Using the BadIIS malware for SEO fraud and user redirection showcases how cybercriminals are increasingly adept at manipulating web traffic for illicit gains.
Organizations must strengthen their defenses by implementing advanced monitoring systems, regularly updating their servers, and adopting robust cyber security strategies to counter these threats.
