Chinese-Speaking Group Manipulates SEO with BadIIS

    Date: 02/10/2025

    Severity: High

    Summary

    Our researchers identified an SEO manipulation campaign emphasizing the importance of organizations using Internet Information Services (IIS) to stay updated and patched to prevent exploitation by malware like BadIIS. The campaign appears financially motivated, as it redirects users to illegal gambling websites, indicating attackers deploy BadIIS for profit. It has already impacted countries in Asia, including India, Thailand, and Vietnam, but its reach could extend globally.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    chem-db.com

    vnfll22.keeploong.com

    se2.ggseocdn.com

    se2.ggseocdn2.com

    www.xxxx.vip

    js.targetedtrafficcrew.com

    all.targetedtrafficcrew.com

    ll.olacityviet.com

    798.toptopkm88.com

    site.toptopkm88.com

    link.toptoplm88.com

    www.m2313.com

    br.zmdesf.cn

    br.ruicaisiwang.com

    tz123.app

    www.xiagao886.com

    js.cloudflare.cyou

    newth.googlecache.cc

    newthmap.googlecache.cc

    phpmap.googlecache.cc

    vn6789sky.com

    wailian.vn6789sky.com

    sitemap.bet277.vip

    sitemap1.bet277.vip

    brcknkblue.com

    wailian.brcknkblue.com

    eglotanygfa.vip

    wailian.eglotanygfa.vip

    yyds.tmpdrsh.com

    proxy.xxxx.com

    tdk.798love.com

    spider.xxxx.com

    jumpsexxx.com

    www.jumpiis8.com

    six2fc.com

    yitongmingde.com

    qiqiguaiguai2.xyz

    jsc.olacityviet.com

    jsc.bet277.vip

    lucky.668823.com

    bb.vdfskis888.com

    link.vdfskis888.com

    ldy.vdfskis888.com

    th.ntxx.cn

    topck008.com

    link.topck008.com

    googleseo.life

    bryyds.com

    dk8.zone

    dk8.land

    668th.com

    js.officefonts-clo.com

    aafd.tv

    vg9920.store

    vn.coronavg99.com

    coronavg99.xyz

    s995.vip

    zavinac.net

    wailian.zavinac.net

    89vq.me

    tdkgpt.yyds6686.com

    html.aafd.tv

    IP Address : 

    185.106.178.76

    38.207.248.230

    154.7.64.81

    154.7.64.81

    156.229.134.13

    45.120.81.62

    Hash : 

    8a49966eb90acc5c05a6bba523f1dd0d58127ab731d44c7304204fa02bf61186
    
    bbf9d7dafba979ef9c1e8531a20d3bea1adcdbb628816ce8781d7eeb6292f265
    
    33e5e5e773d1909004d4b38a0e4e3e97e46cbdb7b17f94b28fce2c9ad0a375d3
    
    c732067b3d8763c248051366ab7beeae0d7fbe105884d4d3f8647e3427f36daf
    
    59b416efff07208dc8b1c98a6f754e3abc14e55d71971ddc5581f6bc7ca45837
    
    fe14c579308d356c64bd3be9365014de805a17abab8cb741e2817b8451a92f64
    
    5d838c0dbf164b26c4c5dc20f96d3bf48a5f9fde88bbc1dd02c08007bb184d86
    
    13f094d3eebe9d700360868006ac022a622ec606628adcc3782123d5092224d1
    
    61913e0a38282a42b26aff578da17dab60ac0fbee819fa42db5497cc5cf55760
    
    03bc0ddfa59cfa290c426396f1c5fff45bd2c3ef90152cafc7c662c075dfc7d8
    
    f9017361349421728fc1ac1bc1549b3d23b35bd795f0a83be2e9e517bccaccdc
    
    42906ac10d053eec10c05e2eeebcb06a7d6b307dc0d18083151dff3e0ac70022
    
    a2a9dcdfc6f0aab577bc0f2750ff44050034c0f1c2f8b325a246f4dfe5f33219
    
    bb9b0b20d239b2f5fe6da31fc2d13ec4ba6083238df68befd33d7521570d334e
    
    08f965f640a3ec1c3aa9c31033455fad02550485d0d5b6fe33553d374775f18a
    
    65967f471440449d2f1b615ff1338b8082b0481b617eda4d9f21a9f102b98859
    
    c75a9a104e340473b72140127f3039a08f99a334887afc100d09cffa3c4c8e24
    
    7b190719c3fb9c0bde074981adaf5b04356c9c48fa2fccdb334c4ae218f66fc0
    
    2496bfe15e283affdfcd7f1de9134227671e2cddfb726b46829fa966abb9ac96
    
    2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247
    
    9fbae4ed1de2b09af9a246a021f2a7fc8667492d459ac346eba6719509c41c5a
    
    f1dcd2809a001a0d0ea3221939f7afd2ef9e5bf468709bd91abd70c902c42d45
    
    7ccdd8966adf04ddd9b24dac0d1b8642968598a88ec3f5048b279843bffefb84
    
    facfea68fe95fc81e3b6e04f79fbcba738c79b4de2d0238e4e5a8ba095a2516d
    
    01577f5b0869154fb678bcf86eef50afceb5fc189c87b2085fe5fcdf74cd6ff0
    
    a01ae86a356373f0d3e1b843f50243394308a96bd01978b33e4a91c0f0b19cce
    
    a0bb95eafc9913633c7e27f0f1e6c81eb4c138a809c109ad3abae5fcc47c2cbd
    
    a4906b40232726948f6a5357ad0ee9445512b422ae510d2ef08bd9cf516852bd
    
    6edb1fd609c7e011cd42656af67baf5271d8212933a8c964604d138306b9565f
    
    5b497b4205427198fc922c74cad8275b4256579f8bb5a1f1dbad7151630288a0
    
    7321d599e777088356d7549e638b6b67fc43fc5c9f0c8846ee5aa7f47e35c2eb
    
    ed3882a77cdc372f647e647b66979525a50054a580b43499ce5a97864d772730
    
    24aafe0a2033e2e5ca231ebca0e3c56740754a97ca1f5062305e6b30222fc0ee
    
    e09067e3e134e620b69117caf5bee54c1066b7259b74ddf2399afc64116690c9
    
    e3197285c98965ca0522d3683c0d656e4ab1f8335ca322e1ae8c06b79dfd9b9c
    
    1bb1187daff9610a0c142b48bc04d3e883344ca0eca8fe915d6a02fb3e7571ff
    
    e927d6ea1fdc27c0ae9eb55254bbbd4f501f14ae02e499d7d20cdd83af479b20
    
    df75b0b8ea1f75f0039c158c89e413ed6c4352309cc2cfa282afd1857676a88c
    
    a35f810ed9ffd884d0599aa391d0043ad955e821f8144089116b15f01b8a932b
    
    4091ddc3560fb60bd3ef071367fd833d67c3c6e3e81165aa3d93519b93959658
    
    1cb60c7a121187978661b4bda84279f2324a5779b3f58bac11470a73fe544f6a
    
    8fee015ae0e978e39af2cd1ca74b29202e702d296c110f3a7a90dfadce28d4a6
    
    2e20ce7bc1e653737f05c910759fd2e420fe28f77f80a6d8e7c9346809e4dce7
    
    12e4817abc69918b8556a4f18371c803db3d5191031cb56f835ec33cdb12f0d9
    
    22cebb4f0fe6f4377e91b1e19204eff0f744d316b8c900377d8db4aa4f457801
    
    cc67b50d746b23b9bc6fc12dde8c64d72c7f856521787b964598672d83525915
    
    79b7fe6db452edd3077fb55906beea64c19087a19e5fb35211dd80975db74f9e
    
    a68d83fd210b8ca21370a0f38da8fc0dd20b081e69beef911060924aa708a280
    
    18939c40dd601550da9f07d8115f4b19bec422df4ada9358bac9bd9e9ac94e94
    
    8ae43e6bd2cf0f8ced8f888226a4d6d06a7b03552e9af3d3cde35bb1d9724867
    
    ffceed66dd9935c92ff7922bd5fdfde08e9a2ff78dd3a76dc65a200305779b9c
    
    fec618c4f832d8a182fc1d3b9e58a0bff1a62241a1d17108e84ed1f0c4bb7845
    
    6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84
    
    e3c73f76f7b08ab6e223918a5b961201f60934ec95e5362529a42c1655395443
    
    21a61777b0f725dd0dbdb2ecd0dd66e952012e94894e71c306059990c2afe377
    
    3b8adf88b10e0c66d97b4909a17d4436a043ded5cf29c85ead22b58917e9ac7b
    
    e8201b4a0f2619224e0720034dfc19a75f77582531bd98a2465a58bbf4a9f8c6
    
    bf45c48b209e5004520b5d541e406c183bccb2fe81f3974c2c53be48017f74ca
    
    02e98650e89146f0bddf29dd73165b9993d52f966d6194d375b6f0fcf737c38a
    
    381dc36504e1b319fde9bbae0a580da9f239b8af8066638f9a4203e58dc16087
    
    fbd3d1828592a2c1f154ebe2283643e24dee1db9f8989ce32e54b00d470a0096
    
    521869f9ee6066c33fb1615cbcad66de157876bd08cec05597e4d3a0405efac8
    
    eda7a7edc01392706a872a5a275940b4a4b9471dc562eb70128ee672872d1407
    
    02dba6f34480eac1d27c83a4ff06e3ba03fc63fcf3067e0957375bfd182ed39b
    
    8eb51f51eea27de8b976bdbcc84f4cf386256dfd9dc3702df8f839490699e173
    
    89169f480810198a2cbb28fab15e0dfc8d1ee53981a9834cb84a84d077db3d17
    
    6606d6e6424f7c25b922905095ba8cbff83357430bf1ef0ce0553a411fed1748
    
    5d0b2015998a8a5a2a60ebdd2f3d6a398e533d198b9157c1558e6913330c24ba
    
    e645ee394546db818350adfb2c55bffea78f405ac0ebb3fb1486e7d2f042c46f
    
    0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98
    
    b6844533bb887e870eb88fba88ed4d616ea8a9573b673faf927846c802f7817c
    
    92e8076a59831156af5dc7058356cc0ad3dbd3c32cd84b08c3c8541ccc32d1c0
    
    a383c13bbe949d0b6dff23e3243c7bbac1813d2ce9d99149cd5b984f051005d0
    
    44bfb9f0e13dd72ed111b5b5600b80b305ab153a0ee2224957e76391b28ac037
    
    3d331e6c5c1b22377b3b4aba9f71d65a10a77df6d8ee64c3a0d7d7de3d1f1565

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 : 

    userdomainname like "jsc.olacityviet.com" or url like "jsc.olacityviet.com" or userdomainname like "ldy.vdfskis888.com" or url like "ldy.vdfskis888.com" or userdomainname like "vn.coronavg99.com" or url like "vn.coronavg99.com" or userdomainname like "brcknkblue.com" or url like "brcknkblue.com" or userdomainname like "dk8.zone" or url like "dk8.zone" or userdomainname like "tdkgpt.yyds6686.com" or url like "tdkgpt.yyds6686.com" or userdomainname like "www.jumpiis8.com" or url like "www.jumpiis8.com" or userdomainname like "jsc.bet277.vip" or url like "jsc.bet277.vip" or userdomainname like "wailian.vn6789sky.com" or url like "wailian.vn6789sky.com" or userdomainname like "link.toptoplm88.com" or url like "link.toptoplm88.com" or userdomainname like "yyds.tmpdrsh.com" or url like "yyds.tmpdrsh.com" or userdomainname like "coronavg99.xyz" or url like "coronavg99.xyz" or userdomainname like "89vq.me" or url like "89vq.me" or userdomainname like "newth.googlecache.cc" or url like "newth.googlecache.cc" or userdomainname like "sitemap1.bet277.vip" or url like "sitemap1.bet277.vip" or userdomainname like "yitongmingde.com" or url like "yitongmingde.com" or userdomainname like "www.xiagao886.com" or url like "www.xiagao886.com" or userdomainname like "all.targetedtrafficcrew.com" or url like "all.targetedtrafficcrew.com" or userdomainname like "br.zmdesf.cn" or url like "br.zmdesf.cn" or userdomainname like "proxy.xxxx.com" or url like "proxy.xxxx.com" or userdomainname like "lucky.668823.com" or url like "lucky.668823.com" or userdomainname like "js.cloudflare.cyou" or url like "js.cloudflare.cyou" or userdomainname like "wailian.eglotanygfa.vip" or url like "wailian.eglotanygfa.vip" or userdomainname like "html.aafd.tv" or url like "html.aafd.tv" or userdomainname like "jumpsexxx.com" or url like "jumpsexxx.com" or userdomainname like "six2fc.com" or url like "six2fc.com" or userdomainname like "link.topck008.com" or url like "link.topck008.com" or userdomainname like "vnfll22.keeploong.com" or url like "vnfll22.keeploong.com" or userdomainname like "bb.vdfskis888.com" or url like "bb.vdfskis888.com" or userdomainname like "topck008.com" or url like "topck008.com" or userdomainname like "668th.com" or url like "668th.com" or userdomainname like "se2.ggseocdn.com" or url like "se2.ggseocdn.com" or userdomainname like "js.officefonts-clo.com" or url like "js.officefonts-clo.com" or userdomainname like "newthmap.googlecache.cc" or url like "newthmap.googlecache.cc" or userdomainname like "eglotanygfa.vip" or url like "eglotanygfa.vip" or userdomainname like "ll.olacityviet.com" or url like "ll.olacityviet.com"

    Domains\Urls 2 :

    userdomainname like "chem-db.com" or url like "chem-db.com" or userdomainname like "se2.ggseocdn2.com" or url like "se2.ggseocdn2.com" or userdomainname like "www.xxxx.vip" or url like "www.xxxx.vip" or userdomainname like "js.targetedtrafficcrew.com" or url like "js.targetedtrafficcrew.com" or userdomainname like "798.toptopkm88.com" or url like "798.toptopkm88.com" or userdomainname like "site.toptopkm88.com" or url like "site.toptopkm88.com" or userdomainname like "www.m2313.com" or url like "www.m2313.com" or userdomainname like "br.ruicaisiwang.com" or url like "br.ruicaisiwang.com" or userdomainname like "tz123.app" or url like "tz123.app" or userdomainname like "phpmap.googlecache.cc" or url like "phpmap.googlecache.cc" or userdomainname like "vn6789sky.com" or url like "vn6789sky.com" or userdomainname like "sitemap.bet277.vip" or url like "sitemap.bet277.vip" or userdomainname like "wailian.brcknkblue.com" or url like "wailian.brcknkblue.com" or userdomainname like "tdk.798love.com" or url like "tdk.798love.com" or userdomainname like "spider.xxxx.com" or url like "spider.xxxx.com" or userdomainname like "qiqiguaiguai2.xyz" or url like "qiqiguaiguai2.xyz" or userdomainname like "link.vdfskis888.com" or url like "link.vdfskis888.com" or userdomainname like "th.ntxx.cn" or url like "th.ntxx.cn" or userdomainname like "googleseo.life" or url like "googleseo.life" or userdomainname like "bryyds.com" or url like "bryyds.com" or userdomainname like "dk8.land" or url like "dk8.land" or userdomainname like "vg9920.store" or url like "vg9920.store" or userdomainname like "s995.vip" or url like "s995.vip" or userdomainname like "zavinac.net" or url like "zavinac.net" or userdomainname like "wailian.zavinac.net" or url like "wailian.zavinac.net"

    IP Address : 

    dstipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81") or ipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81") or publicipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81") or srcipaddress IN ("45.120.81.62","185.106.178.76","156.229.134.13","38.207.248.230","154.7.64.81")

    Hash : 

    sha256hash IN ("65967f471440449d2f1b615ff1338b8082b0481b617eda4d9f21a9f102b98859","a4906b40232726948f6a5357ad0ee9445512b422ae510d2ef08bd9cf516852bd","7ccdd8966adf04ddd9b24dac0d1b8642968598a88ec3f5048b279843bffefb84","92e8076a59831156af5dc7058356cc0ad3dbd3c32cd84b08c3c8541ccc32d1c0","6606d6e6424f7c25b922905095ba8cbff83357430bf1ef0ce0553a411fed1748","18939c40dd601550da9f07d8115f4b19bec422df4ada9358bac9bd9e9ac94e94","03bc0ddfa59cfa290c426396f1c5fff45bd2c3ef90152cafc7c662c075dfc7d8","24aafe0a2033e2e5ca231ebca0e3c56740754a97ca1f5062305e6b30222fc0ee","8a49966eb90acc5c05a6bba523f1dd0d58127ab731d44c7304204fa02bf61186","e927d6ea1fdc27c0ae9eb55254bbbd4f501f14ae02e499d7d20cdd83af479b20","8eb51f51eea27de8b976bdbcc84f4cf386256dfd9dc3702df8f839490699e173","8ae43e6bd2cf0f8ced8f888226a4d6d06a7b03552e9af3d3cde35bb1d9724867","0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98","a2a9dcdfc6f0aab577bc0f2750ff44050034c0f1c2f8b325a246f4dfe5f33219","2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247","a01ae86a356373f0d3e1b843f50243394308a96bd01978b33e4a91c0f0b19cce","b6844533bb887e870eb88fba88ed4d616ea8a9573b673faf927846c802f7817c","33e5e5e773d1909004d4b38a0e4e3e97e46cbdb7b17f94b28fce2c9ad0a375d3","521869f9ee6066c33fb1615cbcad66de157876bd08cec05597e4d3a0405efac8","21a61777b0f725dd0dbdb2ecd0dd66e952012e94894e71c306059990c2afe377","02dba6f34480eac1d27c83a4ff06e3ba03fc63fcf3067e0957375bfd182ed39b","e645ee394546db818350adfb2c55bffea78f405ac0ebb3fb1486e7d2f042c46f","a35f810ed9ffd884d0599aa391d0043ad955e821f8144089116b15f01b8a932b","5d838c0dbf164b26c4c5dc20f96d3bf48a5f9fde88bbc1dd02c08007bb184d86","08f965f640a3ec1c3aa9c31033455fad02550485d0d5b6fe33553d374775f18a","a0bb95eafc9913633c7e27f0f1e6c81eb4c138a809c109ad3abae5fcc47c2cbd","4091ddc3560fb60bd3ef071367fd833d67c3c6e3e81165aa3d93519b93959658","6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84","bbf9d7dafba979ef9c1e8531a20d3bea1adcdbb628816ce8781d7eeb6292f265","fbd3d1828592a2c1f154ebe2283643e24dee1db9f8989ce32e54b00d470a0096","df75b0b8ea1f75f0039c158c89e413ed6c4352309cc2cfa282afd1857676a88c","12e4817abc69918b8556a4f18371c803db3d5191031cb56f835ec33cdb12f0d9","9fbae4ed1de2b09af9a246a021f2a7fc8667492d459ac346eba6719509c41c5a","fe14c579308d356c64bd3be9365014de805a17abab8cb741e2817b8451a92f64","c75a9a104e340473b72140127f3039a08f99a334887afc100d09cffa3c4c8e24","a68d83fd210b8ca21370a0f38da8fc0dd20b081e69beef911060924aa708a280","c732067b3d8763c248051366ab7beeae0d7fbe105884d4d3f8647e3427f36daf","6edb1fd609c7e011cd42656af67baf5271d8212933a8c964604d138306b9565f","ffceed66dd9935c92ff7922bd5fdfde08e9a2ff78dd3a76dc65a200305779b9c","e3c73f76f7b08ab6e223918a5b961201f60934ec95e5362529a42c1655395443","7321d599e777088356d7549e638b6b67fc43fc5c9f0c8846ee5aa7f47e35c2eb","3d331e6c5c1b22377b3b4aba9f71d65a10a77df6d8ee64c3a0d7d7de3d1f1565","2e20ce7bc1e653737f05c910759fd2e420fe28f77f80a6d8e7c9346809e4dce7","f9017361349421728fc1ac1bc1549b3d23b35bd795f0a83be2e9e517bccaccdc","381dc36504e1b319fde9bbae0a580da9f239b8af8066638f9a4203e58dc16087","7b190719c3fb9c0bde074981adaf5b04356c9c48fa2fccdb334c4ae218f66fc0","8fee015ae0e978e39af2cd1ca74b29202e702d296c110f3a7a90dfadce28d4a6","59b416efff07208dc8b1c98a6f754e3abc14e55d71971ddc5581f6bc7ca45837","42906ac10d053eec10c05e2eeebcb06a7d6b307dc0d18083151dff3e0ac70022","89169f480810198a2cbb28fab15e0dfc8d1ee53981a9834cb84a84d077db3d17","e09067e3e134e620b69117caf5bee54c1066b7259b74ddf2399afc64116690c9","f1dcd2809a001a0d0ea3221939f7afd2ef9e5bf468709bd91abd70c902c42d45","22cebb4f0fe6f4377e91b1e19204eff0f744d316b8c900377d8db4aa4f457801","3b8adf88b10e0c66d97b4909a17d4436a043ded5cf29c85ead22b58917e9ac7b","02e98650e89146f0bddf29dd73165b9993d52f966d6194d375b6f0fcf737c38a","ed3882a77cdc372f647e647b66979525a50054a580b43499ce5a97864d772730","13f094d3eebe9d700360868006ac022a622ec606628adcc3782123d5092224d1","61913e0a38282a42b26aff578da17dab60ac0fbee819fa42db5497cc5cf55760","bb9b0b20d239b2f5fe6da31fc2d13ec4ba6083238df68befd33d7521570d334e","2496bfe15e283affdfcd7f1de9134227671e2cddfb726b46829fa966abb9ac96","facfea68fe95fc81e3b6e04f79fbcba738c79b4de2d0238e4e5a8ba095a2516d","01577f5b0869154fb678bcf86eef50afceb5fc189c87b2085fe5fcdf74cd6ff0","5b497b4205427198fc922c74cad8275b4256579f8bb5a1f1dbad7151630288a0","e3197285c98965ca0522d3683c0d656e4ab1f8335ca322e1ae8c06b79dfd9b9c","1bb1187daff9610a0c142b48bc04d3e883344ca0eca8fe915d6a02fb3e7571ff","1cb60c7a121187978661b4bda84279f2324a5779b3f58bac11470a73fe544f6a","cc67b50d746b23b9bc6fc12dde8c64d72c7f856521787b964598672d83525915","79b7fe6db452edd3077fb55906beea64c19087a19e5fb35211dd80975db74f9e","fec618c4f832d8a182fc1d3b9e58a0bff1a62241a1d17108e84ed1f0c4bb7845","6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84","e8201b4a0f2619224e0720034dfc19a75f77582531bd98a2465a58bbf4a9f8c6","bf45c48b209e5004520b5d541e406c183bccb2fe81f3974c2c53be48017f74ca","eda7a7edc01392706a872a5a275940b4a4b9471dc562eb70128ee672872d1407","5d0b2015998a8a5a2a60ebdd2f3d6a398e533d198b9157c1558e6913330c24ba","a383c13bbe949d0b6dff23e3243c7bbac1813d2ce9d99149cd5b984f051005d0","44bfb9f0e13dd72ed111b5b5600b80b305ab153a0ee2224957e76391b28ac037")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manipulates-seo-with-badiis.html 


    Tags

    MalwareAsiaIndiaThailandVietnamFinancial ServicesGambling Websites

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags