A newly recognized hacking group, dubbed “GhostRedirector” by cybersecurity researchers, has compromised a minimum of 65 Home windows servers throughout the globe, deploying customized malware designed to control search engine outcomes for monetary acquire.
In keeping with a brand new report from ESET, the risk actor makes use of a malicious module for Microsoft’s Web Data Providers (IIS) to conduct a complicated search engine optimization fraud scheme, primarily benefiting playing web sites.
The assaults, which have been lively since a minimum of August 2024, make use of two beforehand undocumented customized instruments: a passive C++ backdoor named “Rungan” and a malicious native IIS module known as “Gamshen.”
Whereas Rungan gives the attackers with the power to execute instructions on a compromised server, Gamshen is the core of the operation, designed to offer “search engine optimization fraud as-a-service.”
GhostRedirector Hacks Home windows Servers
Researchers clarify that Gamshen features by intercepting internet site visitors on the contaminated server. The module is particularly configured to activate solely when it detects a request from Google’s internet crawler, Googlebot.
For normal guests, the web site features usually. Nevertheless, when Googlebot scans the location, Gamshen modifies the server’s response, injecting information from its personal command-and-control server.
GhostRedirector Hackers Compromise Home windows Servers
This method permits the attackers to create synthetic backlinks and use different manipulative search engine optimization ways, successfully hijacking the compromised web site’s popularity to spice up the web page rating of a goal web site.
ESET believes the first beneficiaries of this scheme are varied playing web sites focusing on Portuguese-speaking customers. ESET researchers have attributed the marketing campaign with medium confidence to a beforehand unknown, China-aligned risk actor.
This evaluation relies on a number of components, together with the usage of a code-signing certificates issued to a Chinese language firm, hardcoded Chinese language language strings throughout the malware samples, and a password containing the Chinese language phrase “huang” (yellow) used for rogue consumer accounts.
The victimology signifies an opportunistic method slightly than a focused marketing campaign in opposition to a selected business.
Compromised servers span sectors akin to healthcare, retail, transportation, training, and expertise, with the bulk situated in Brazil, Thailand, and Vietnam.
Extra victims had been recognized in the US, Peru, Canada, and elements of Europe and Asia.
GhostRedirector Hackers Compromise Home windows Servers
GhostRedirector’s assault chain begins with what’s believed to be an SQL injection vulnerability for preliminary entry. As soon as inside, the attackers use PowerShell or CertUtil to obtain their arsenal from a staging server.
To achieve full management, they make use of publicly identified privilege escalation exploits like “EfsPotato” and “BadPotato” to create new administrator-level consumer accounts on the server.
These rogue accounts present persistent entry, making certain the attackers can preserve management even when their major backdoors are found and eliminated.
The group’s toolkit additionally consists of different customized utilities, akin to “Zunput,” a instrument that scans the server for lively web sites and drops a number of webshells to offer various strategies of distant entry.
The shared code libraries and infrastructure throughout these instruments allowed ESET to cluster the exercise and attribute it to a single group.
Whereas the quick affect on web site guests is minimal, participation within the search engine optimization fraud scheme can severely harm the compromised host’s popularity by associating it with black-hat search engine optimization ways.
Discover this Story Fascinating! Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates.
