More than 35 Microsoft Internet Information Services servers in China, India, Korea, Thailand, Belgium, and the Netherlands spanning several industries, including healthcare, agriculture, media, and IT services, have been compromised with the proxy ware- and search engine optimization fraud-enabling BadIIS malware as part of the novel DragonRank black hat SEO attack cluster, reports The Hacker News.
Vulnerabilities in WordPress and other web apps have been leveraged by attackers to facilitate the deployment of the open-source web shell ASPXspy that would then allow the compromise of IIS servers with the malware, which enables search engine algorithm modifications without being detected by security systems, according to a Cisco Talos study. More servers around the target's networks have also been sought to be compromised by threat actors with the PlugX backdoor, as well as the Mimikatz, BadPotato, GodPotato, and PrintNotifyPotato credential-harvesting tools, said Cisco Talos researchers, who also noted DragonRank's flexibility in accommodating the needs of its clients' fraudulent schemes.