Using BADIIS malware to carry out a massive SEO poisoning campaign, the Chinese-speaking group REF4033, also known as UAT-8099, has compromised over 1,800 Windows servers worldwide in a concerted cybercrime operation. In order to manipulate search engine rankings and divert users to illegal websites, this operation mainly targets IIS servers by injecting malicious modules. The group infiltrates trusted infrastructure, such as corporate, educational, and governmental systems, across several regions using a combination of misleading redirection techniques and keyword-rich content.

A malicious IIS module called BADIIS inserts code that manipulates search engine optimization into compromised websites. Once installed, the module diverts the server's genuine web traffic to pornographic, gambling, and fraudulent cryptocurrency websites.

By concealing malicious activity from search engines and using well-regarded servers to generate income for attackers, these illegal websites seek to financially exploit users. Execution flow for REF4033 (Source: Elastic) Intrusion Methods and Malware Analysis There are two stages to the BADIIS campaign's attack methodology. To increase the visibility of the attackers' network of illegal websites, the malware first targets search engine crawlers by inserting malicious SEO content.

Eventually, it taints search results. Users are then redirected to malicious websites by compromised servers, including fraudulent clones of the Upbit exchange and other cryptocurrency platforms. A malicious executable called CbsMsgApi.exe is first deployed as part of the intrusion, establishing persistence on the compromised system.

Untrustworthy Windows Service Alert for DLL Creation (Source: elastic) By creating a new Windows service called "WalletServiceInfo," this executable loads a malicious DLL called CbsMsgApi.dll, which carries out the configuration modifications that the BADIIS module requires. In order to load the malicious module into the server's request processing pipeline and control the server's behavior depending on particular parameters, like User-Agent or Referer header values, this malware then alters the IIS configuration. The BADIIS malware's ability to avoid detection by filtering traffic according to user agent or region is one of its most notable features.

It ensures that traffic is redirected to location-specific illegal websites by dynamically modifying its redirection strategies using encrypted URLs and configuration files.

Users from Chinese servers, for example, are routed to regional gambling websites. Meanwhile, South Koreans are directed to the fraudulent Upbit exchange. The attackers have compromised a variety of industries during this campaign, particularly in the Asia-Pacific area, including financial services, healthcare providers, educational institutions, and government agencies.

CbsMsgApi.Nearly 30% of the compromised servers are housed on well-known cloud platforms, such as Amazon Web Services (AWS), Microsoft Azure, Alibaba Cloud, and Tencent Cloud, according to a dll sample listing in VirusTotal (Source: elastic). The attack's extensive reach emphasizes how crucial it is to protect web infrastructure and spread knowledge about SEO poisoning techniques.

Organizations must take proactive measures to protect themselves from targeted cybercrime campaigns, as attackers continue to use legitimate infrastructure for malevolent ends. SHA-256 055bdcaa0b69a1e205c931547ef863531e9fdfdaac93aaea29fb701c7b468294 CbsMsgApi.exe SHA-256 2340f152e8cb4cc7d5d15f384517d756a098283aef239f8cbfe3d91f8722800a CbsMsgApi.exe.dll Domain gotz003[. ]com Config server Domain jbtz003[.

]com Legacy Imphash 1e4b23eee1b96b0cc705da1e7fb9e2f3 Loader