From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

What Happened

Security researchers have discovered a widespread malicious software operation targeting Windows web servers. This software is sold as a service to various cybercriminal groups, primarily to manipulate search engine results and redirect website visitors to illegal or spam sites. The malware is highly customizable and includes tools to hide itself and automatically reinstall if the server is restarted. Organizations hosting websites on Windows IIS should ensure their servers are fully patched, monitor for unusual service creations, and review their web server configurations for unauthorized changes.

Key Takeaways

• A commodity BadIIS malware variant, identifiable by 'demo.pdb' strings, is being sold as Malware-as-a-Service (MaaS) to Chinese-speaking cybercrime groups.
• The malware facilitates SEO fraud, traffic redirection, reverse proxying, and content hijacking on compromised Windows IIS servers.
• The developer, alias 'lwxat', has maintained the toolset since at least 2021, creating custom builds to evade AV (like Norton) and specific customer requests.
• A dedicated builder tool allows threat actors to generate configuration files and inject parameters directly into the BadIIS binaries.
• The malware uses service-based installers and droppers for persistence, impersonating legitimate services like Winlogin, FaxService, and AudiosService.

Affected Systems

• Windows IIS Servers

Attack Chain

The attack begins with the deployment of a service-based installer or dropper onto a target Windows IIS server. The installer authenticates with a C2 server by checking for the string 'lwxat' in the HTTP response. Once authenticated, it drops the BadIIS payloads (often named filter.dll or similar) into system directories and registers them as IIS modules using appcmd.exe. To ensure persistence, the malware copies itself to hidden backup locations (like fake .log files) and installs a secondary service (impersonating Winlogin, FaxService, or AudiosService) that restores the malicious modules if they are removed. Finally, the compromised IIS server intercepts web traffic to perform SEO fraud, traffic redirection, and content hijacking based on configurations generated by the threat actor's builder tool.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ClamAV, Snort

The article provides ClamAV signatures and Snort rules (SIDs 66400, 66399, 66398, 301491) to detect and block the BadIIS threat.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor for suspicious child processes of IIS (w3wp.exe), execution of appcmd.exe to install unexpected modules, and the creation of anomalous services like 'Winlogin' or 'FaxService'. Network Visibility: Medium — Network monitoring can detect the plaintext HTTP C2 authentication requests (e.g., fetching /authorize.txt) and the custom user-agent 'lwxatisme', though actual proxy traffic may blend with legitimate web requests. Detection Difficulty: Moderate — While the malware uses custom Base64 encoding and backup persistence mechanisms, the reliance on appcmd.exe for module installation and the hardcoded 'lwxatisme' user-agent provide reliable detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• Service Creation (Event ID 7045)
• IIS Access Logs
• File Creation (Event ID 11)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for executions of appcmd.exe installing new modules from non-standard directories like C:\Windows\Setup.	Process Creation	Persistence	Low
If you have visibility into network traffic, consider hunting for HTTP requests utilizing the anomalous user-agent string 'lwxatisme'.	Network Traffic / Web Proxy Logs	Command and Control	Low
Consider hunting for the creation or modification of Windows services with names mimicking legitimate services (e.g., FaxService, AudiosService) but pointing to unusual executable paths like C:\Windows\System32\inetsrv\svchost.exe.	Service Creation	Persistence	Low

Control Gaps

• Lack of File Integrity Monitoring (FIM) on IIS configuration files
• Insufficient egress filtering allowing servers to communicate with arbitrary external IPs over HTTP

Key Behavioral Indicators

• appcmd.exe execution with 'install module'
• Custom user-agent 'lwxatisme'
• Presence of 'demo.pdb' or 'lwxat' strings in memory or files
• Unexpected .log files in C:\Windows\Logs\ containing DLL MZ headers

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider reviewing IIS server module configurations for unauthorized or unexpected DLLs, particularly those loaded from C:\Windows\Setup.
• Evaluate whether to block the identified C2 IP addresses and URLs at the perimeter firewall or web proxy.
• If applicable, consider scanning IIS servers with the provided ClamAV signatures or deploying the Snort rules to network intrusion detection systems.

Infrastructure Hardening

• Consider implementing File Integrity Monitoring (FIM) on critical IIS directories and configuration files (e.g., applicationHost.config).
• Evaluate restricting outbound network access from web servers to only required endpoints to prevent C2 communication.
• Consider enforcing strict least-privilege access for the IIS worker process (w3wp.exe) to limit its ability to write to system directories.

User Protection

• If your EDR supports it, consider ensuring behavioral rules are enabled to detect anomalous service creation and appcmd.exe usage.

Security Awareness

• Consider educating server administrators on the risks of unauthorized IIS modules and the importance of monitoring service configurations.

MITRE ATT&CK Mapping

• T1505.004 - Server Software Component: IIS Components
• T1543.003 - Create or Modify System Process: Windows Service
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1027 - Obfuscated Files or Information
• T1071.001 - Application Layer Protocol: Web Protocols
• T1106 - Native API

Additional IOCs

• Urls:
  • hxxp://143[.]92[.]36[.]109/authorize.txt - Authentication URL requested by the service installer.
  • hxxp://154[.]36[.]149[.]4:7788/pipen/listen.php - C2 URL used for payload staging.
  • hxxp://45[.]194[.]17[.]133/authorize.txt - Authentication URL requested by the service installer.
  • hxxp://154[.]23[.]186[.]99/authorize.txt - Authentication URL requested by the service installer.
• File Paths:
  • C:\Windows\Logs\SecEditor.log - Hidden backup location used to store the 32-bit BadIIS payload for persistence.
  • C:\Windows\Logs\SecFilter.log - Hidden backup location used to store the 64-bit BadIIS payload for persistence.
  • C:\Windows\Logs\IIS.log - Hidden backup location used to store the modified IIS configuration file.
  • C:\Windows\Setup\filter.dll - File path where the 32-bit BadIIS payload is staged.
  • C:\Windows\Setup\filter_64.dll - File path where the 64-bit BadIIS payload is staged.
  • C:\Windows\System32\inetsrv\svchost.exe - Malicious service executable impersonating the legitimate svchost process.
• Command Lines:
  • Purpose: Installs the malicious BadIIS module into the IIS configuration. | Tools: appcmd.exe | Stage: Persistence | appcmd.exe install module /name:
  • Purpose: Configures the hijacked or malicious service to start automatically for persistence. | Tools: sc.exe | Stage: Persistence | sc config FaxService start= auto
  • Purpose: Stops the IIS service to allow module installation or replacement. | Tools: iisreset.exe | Stage: Execution | iisreset /stop
• Other:
  • lwxatisme - Custom User-Agent string used by the malware for HTTP communications.
  • C:\Users\Administrator\Desktop\dll20260106\Release\demo.pdb - Embedded PDB path indicating the compilation date and developer environment.