{"id":20205,"date":"2025-06-03T10:00:22","date_gmt":"2025-06-03T03:00:22","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20205"},"modified":"2026-01-20T10:23:56","modified_gmt":"2026-01-20T03:23:56","slug":"dragonrank-campaign-when-iis-servers-became-tools-for-hackers","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/dragonrank-campaign-when-iis-servers-became-tools-for-hackers\/","title":{"rendered":"DragonRank Campaign: When IIS Servers Became Tools for Hackers"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<h2 id=\"heading-introduction\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Introduction<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The hacker group\u00a0<strong>DragonRank<\/strong>\u00a0has recently become a serious threat by targeting Microsoft&#8217;s\u00a0<strong>Internet Information Services (IIS)<\/strong>\u00a0servers, exploiting unpatched vulnerabilities to gain control of the systems.<\/span><\/p>\n<h3 id=\"heading-technical-details\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Technical Details<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">According to\u00a0<strong>Microsoft<\/strong>, the vulnerability exploited by DragonRank involves handling\u00a0<strong>HTTP Request Headers<\/strong>\u00a0on IIS. Specifically, the attacker sends a specially crafted HTTP request with a header containing data that exceeds the buffer limit, causing a\u00a0<strong>Buffer Overflow<\/strong>. This allows them to overwrite memory and execute arbitrary code (Remote Code Execution \u2013 RCE).<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exploitation Mechanism<\/strong>:<\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\">When the IIS server parses headers like\u00a0<code>Content-Length<\/code>\u00a0or\u00a0<code>Transfer-Encoding<\/code>, improper handling of unusually large values leads to a buffer overflow. DragonRank exploits this weakness to inject malicious code into memory and then triggers the payload to take control.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Malware Used<\/strong>:<\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\">According to a report from\u00a0<strong>Cisco Talos<\/strong>, the group uses a variant of the\u00a0<strong>ChinaChopper<\/strong>\u00a0malware\u2014a common webshell in attacks on web servers. This malware allows hackers to upload other tools like ransomware or cryptocurrency mining software.<\/span><\/li>\n<\/ul>\n<h3 id=\"heading-dragonrank-campaign\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>DragonRank Campaign<\/strong><\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">DragonRank is not just a random hacker group but a well-organized entity with clear strategies, regularly conducting large-scale attack campaigns. Here are some key details about their campaign:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Targets<\/strong>:<\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\">DragonRank focuses on financial institutions, government agencies, and large enterprises in the Asia region, especially Southeast Asia and India. The targets often have complex IT systems but lack full security updates.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Attack Methods<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Reconnaissance<\/strong>: Using scanning tools like\u00a0<strong>Nmap<\/strong>\u00a0and\u00a0<strong>Shodan<\/strong>\u00a0to identify unpatched IIS servers.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exploitation<\/strong>: Leveraging buffer overflow vulnerabilities to deploy webshells and gain control.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Persistence<\/strong>: Installing backdoors and malware to maintain long-term access.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Lateral Movement<\/strong>: Using stolen information to attack other systems within the same internal network.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Tools Used<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Webshells<\/strong>: ChinaChopper, C99, and custom variants.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exploit Kits<\/strong>: Utilizing exploit kits like\u00a0<strong>Metasploit<\/strong>\u00a0and\u00a0<strong>Cobalt Strike<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Anonymity Tools<\/strong>: Using VPNs and proxies to hide IP addresses.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Objectives<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Data Theft<\/strong>: Collecting sensitive information such as customer data and trade secrets.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>DDoS Attacks<\/strong>: Turning compromised servers into botnets to launch denial-of-service attacks.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Financial Gain<\/strong>: Installing cryptocurrency mining malware (cryptojacking) on servers to earn profits.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-scope-and-impact-of-the-attack\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Scope and Impact of the Attack<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Victims<\/strong>:<\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\">A report from\u00a0<strong>Kaspersky Lab<\/strong>\u00a0indicates that over 500 IIS servers in Southeast Asia and India were compromised in February 2025. Many of these servers belong to banks and healthcare agencies that have not updated Microsoft&#8217;s patches.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Impacts<\/strong>:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Data Breach<\/strong>: Configuration files containing credentials (username\/password) were stolen and sold on the dark web.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>DDoS Attacks<\/strong>: Some servers were turned into botnets to launch denial-of-service attacks on other targets.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Recommendations<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Microsoft<\/strong>:<\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\">Immediately apply the\u00a0<strong>latest<\/strong>\u00a0patch for IIS and enable\u00a0<strong>Request Filtering<\/strong>\u00a0to block HTTP requests with invalid headers.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>CERT Coordination Center (CERT\/CC)<\/strong>:<\/span><br \/>\n<span style=\"font-family: arial, helvetica, sans-serif\">Implement\u00a0<strong>Network Segmentation<\/strong>\u00a0to isolate web servers from critical internal systems. Use monitoring tools like\u00a0<strong>Azure Sentinel<\/strong>\u00a0or\u00a0<strong>Splunk<\/strong>\u00a0to detect suspicious activity.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Allow only the minimum necessary access. Also, regularly scan with tools like\u00a0<strong>Nessus<\/strong>\u00a0or\u00a0<strong>Qualys<\/strong>\u00a0to identify vulnerabilities.<\/span><\/li>\n<\/ul>\n<h4 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Conclusion<\/strong><\/span><\/h4>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The DragonRank attack on IIS not only highlights the sophistication of hackers but also underscores the importance of\u00a0<strong>system updates<\/strong>\u00a0and\u00a0<strong>enhancing security awareness<\/strong>. Organizations need to combine multiple layers of security (multi-factor authentication, encryption, continuous monitoring) to minimize risks.<\/span><\/p>\n<h4 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>References<\/strong><\/span><\/h4>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/undercodenews.com\/analyzing-the-badiis-malware-campaign-a-global-threat-exploiting-iis-server-vulnerabilities\/\" target=\"_blank\" rel=\"noopener nofollow\">Analyzing the BadIIS Malware Campaign: A Global Threat Exploiting IIS Server Vulnerabilities<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cybersecuritynews.com\/badiis-malware-compromising-iis-servers\/\" target=\"_blank\" rel=\"noopener nofollow\">Hackers Compromising IIS Servers to Deploy BadIIS Malware<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/hackread.com\/chinese-dragonrank-hackers-windows-servers-seo-fraud\/\" target=\"_blank\" rel=\"noopener nofollow\">Chinese DragonRank Hackers Exploit Global Windows Servers in SEO Fraud<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.cyclonis.com\/remove-dragonrank-seo-attack\/\" target=\"_blank\" rel=\"noopener nofollow\">DragonRank SEO Attack: The Hidden Manipulation of IIS Servers<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/thehackernews.com\/2025\/02\/dragonrank-exploits-iis-servers-with.html\" target=\"_blank\" rel=\"noopener nofollow\">DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em>Dinh Van Manh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":20206,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20205","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/20206"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20205"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20205"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20205"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20205"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20205"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20205"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20205"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}