Attack Chain

1. The attacker gains initial access to the target IIS server through unknown means.
2. The attacker deploys the BadIIS malware, often utilizing Chinese-language folder paths, onto the compromised server.
3. The BadIIS malware installs itself as an IIS module, allowing it to intercept and modify HTTP requests.
4. The malware configures traffic redirection rules, redirecting legitimate user traffic to attacker-controlled illicit sites.
5. The malware performs malicious SEO fraud by injecting hidden keywords and links into server content, boosting the ranking of malicious websites.
6. The BadIIS malware is updated with reactive evasion tactics to avoid detection by security vendors.
7. The attacker monitors the hijacked traffic and SEO performance, making adjustments to maximize profits.
8. The attacker maintains persistence on the compromised server for continued operation and potential further exploitation.

Impact

Compromised IIS servers are silently redirected to illicit sites, leading to financial losses for victims and reputational damage for server owners. The malware’s ability to perform SEO fraud can also impact the search engine rankings of legitimate websites. The NYC Health + Hospitals breach affected at least 1.8 million people. The theft of biometric information, including fingerprints and palm prints is particularly sensitive.

Recommendation

• Monitor IIS environments for unauthorized traffic redirection and unexpected reverse proxying using network connection logs and web server logs.
• Hunt for the “demo.pdb” strings and associated Chinese-language folder paths within IIS binaries as mentioned in the overview.
• Update endpoint detection solutions to catch reactive evasion tactics employed by the malware.
• Deploy the file hash IOCs to your endpoint detection and response (EDR) and SIEM systems.
• Monitor for the creation of new IIS modules and modifications to existing ones using file integrity monitoring (FIM) solutions and the process_creation category.