Microsoft Internet Information Services (IIS) servers have been compromised using the BadIIS malware by hackers. This sophisticated attack, attributed to the DragonRank group, targets servers across various industries, posing significant risks to organizations worldwide.
Observed by TrendMicro’s researchers, BadIIS malware operates by exploiting vulnerabilities in IIS servers, allowing attackers to manipulate HTTP responses. This malware functions in two primary modes: SEO Fraud Mode and Injector Mode.
In SEO Fraud Mode, BadIIS alters HTTP headers to redirect search engine traffic to fraudulent websites, boosting the visibility of attacker-controlled sites.
In Injector Mode, the malware injects malicious JavaScript into legitimate server responses, redirecting users to phishing sites or malware-hosting pages.
The DragonRank group, a Chinese-speaking hacking collective, is believed to be behind these attacks.
The financially motivated campaign, primarily targeting regions in Asia, including India, Thailand, and Vietnam, has also affected servers in Europe and beyond. They use web shells like ASPXSpy to exploit vulnerabilities in web applications such as WordPress and phpMyAdmin.
Organizations are advised to regularly patch their IIS servers to address known vulnerabilities and restrict administrative access using strong passwords and multi-factor authentication. Additionally, monitoring network traffic for anomalies and continuously reviewing server logs for unusual activity are crucial steps in detecting and preventing such attacks.
#CyTech #CyTechNewsRoom #Cybersecurity #CISO #CISOWorkplace™ #CIM #EDR #Malware #IISServers #BadIISMalware
Leave a Reply