Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

SUMMARY :

A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.

OPENCTI LABELS :

seo poisoning,dragonrank,group 9,badiis,web shells,chinese-speaking,iis module,vietnam


AI COMMENTARY :

1. Introduction to Operation Rewrite Operation Rewrite represents a significant shift in the tactics used by Chinese-speaking threat actors to compromise web infrastructure at scale. Tracked as CL-UNK-1037, this group has deployed a custom IIS module named BadIIS to intercept and alter legitimate web traffic on compromised servers. By manipulating search engine results pages through SEO poisoning, the attackers can redirect unsuspecting users to malicious landing pages loaded with further exploits. This blog explores the mechanics, targets, and defensive measures you need to know to counter this sophisticated campaign.

2. Anatomy of the SEO Poisoning Technique The core of Operation Rewrite lies in the malicious IIS module BadIIS, which is installed alongside familiar web shells and native ASP.NET handlers. Once embedded, BadIIS inspects incoming HTTP requests and rewrites search result links on the fly. Users who click what appear to be legitimate search results are silently redirected to attacker-controlled domains. These domains host exploit kits or phishing pages designed to harvest credentials and deploy additional malware. By blending seamlessly with normal traffic, the campaign evades cursory detection while amplifying its reach through search engines.

3. Tools and Tactics of CL-UNK-1037 In addition to BadIIS, the threat actors employ PHP scripts for initial backdoor installation as well as custom ASP.NET handlers that facilitate persistence. The group leverages stolen or weak credentials to plant web shells, then escalates privileges to load the malicious IIS module. Their multi-stage approach starts with SEO manipulation and can progress to data exfiltration or lateral movement. This layered methodology echoes techniques attributed to earlier groups such as Group 9 and shares similarities with DragonRank’s manipulation of search rankings for profit.

4. Regional Focus and Impact While Operation Rewrite has a global footprint, its primary targets are web servers in East and Southeast Asia, with Vietnam experiencing the heaviest concentration of attacks. Victims range from small business websites to government portals. Compromised sites see their search result listings hijacked, leading to significant reputational damage and potential data loss. End users who follow these poisoned links expose themselves to credential theft and drive-by downloads, creating a ripple effect of compromise that can span multiple sectors and geographies.

5. Historical Connections and Attribution Analysis of BadIIS code and deployment metadata reveals overlaps with tactics used by Group 9, as well as patterns consistent with DragonRank’s earlier SEO-based manipulation campaigns. CL-UNK-1037’s choice of Chinese-language modules, their targeting preferences, and the reuse of web shell signatures all point to a nexus of operators with shared expertise. While definitive attribution remains challenging, these technical links underscore the collaborative nature of threat actor ecosystems in the region.

6. Mitigation and Detection Strategies To defend against Operation Rewrite, organizations should audit IIS servers for unauthorized modules and validate the integrity of native handlers. Monitoring web logs for abnormal URL rewrite rules and unexpected outbound connections can reveal the presence of BadIIS or related web shells. Implementing strict password policies, regularly updating IIS and associated frameworks, and deploying runtime application self-protection (RASP) tools will significantly reduce the attack surface. Finally, collaborating with search engine providers to flag and remove poisoned listings can help curb the campaign’s reach.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign