"Cybersecurity researchers are calling attention to a search engine optimization (SEO) poisoning campaign likely undertaken by a Chinese-speaking threat actor using a malware called BadIIS in attacks targeting East and Southeast Asia, particularly with a focus on Vietnam. The activity, dubbed Operation Rewrite, is being tracked by Palo Alto Networks Unit 42 under the moniker CL-UNK-1037, where "CL" stands for cluster and "UNK" refers to unknown motivation."
"The IIS module is equipped to flag visitors originating from search engine crawlers by inspecting the User-Agent header in the HTTP request, allowing it to contact an external server to fetch the poisoned content to alter the SEO and cause the search engine to index the victim site as a relevant result for the terms found in the command-and-control (C2) server response."
Operation Rewrite is a search engine optimization (SEO) poisoning campaign that leverages a malicious native Internet Information Services (IIS) module named BadIIS to intercept and modify HTTP traffic on compromised legitimate servers. The module identifies search engine crawlers by inspecting User-Agent headers and contacts an external command-and-control server to fetch poisoned content and injected keywords, causing search engines to index victim sites for targeted terms. Compromised sites retain reputable domains while redirecting human visitors to scam or unwanted destinations. The campaign targets East and Southeast Asia, notably Vietnam, and shows infrastructure overlap with Group 9.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]