A newly identified hacking group, dubbed “GhostRedirector” by cybersecurity researchers, has compromised at least 65 Windows servers across the globe, deploying custom malware designed to manipulate search engine results for financial gain.
According to a new report from ESET, the threat actor utilizes a malicious module for Microsoft’s Internet Information Services (IIS) to conduct a sophisticated SEO fraud scheme, primarily benefiting gambling websites.
The attacks, which have been active since at least August 2024, employ two previously undocumented custom tools: a passive C++ backdoor named “Rungan” and a malicious native IIS module called “Gamshen.”
While Rungan provides the attackers with the ability to execute commands on a compromised server, Gamshen is the core of the operation, designed to provide “SEO fraud as-a-service.”
GhostRedirector Hacks Windows Servers
Researchers explain that Gamshen functions by intercepting web traffic on the infected server. The module is specifically configured to activate only when it detects a request from Google’s web crawler, Googlebot.
For regular visitors, the website functions normally. However, when Googlebot scans the site, Gamshen modifies the server’s response, injecting data from its own command-and-control server.
This technique allows the attackers to create artificial backlinks and use other manipulative SEO tactics, effectively hijacking the compromised website’s reputation to boost the page ranking of a target website.
ESET believes the primary beneficiaries of this scheme are various gambling websites targeting Portuguese-speaking users. ESET researchers have attributed the campaign with medium confidence to a previously unknown, China-aligned threat actor.
This assessment is based on several factors, including the use of a code-signing certificate issued to a Chinese company, hardcoded Chinese language strings within the malware samples, and a password containing the Chinese word “huang” (yellow) used for rogue user accounts.
The victimology indicates an opportunistic approach rather than a targeted campaign against a specific industry.
Compromised servers span sectors such as healthcare, retail, transportation, education, and technology, with the majority located in Brazil, Thailand, and Vietnam.
Additional victims were identified in the United States, Peru, Canada, and parts of Europe and Asia.
GhostRedirector’s attack chain begins with what is believed to be an SQL injection vulnerability for initial access. Once inside, the attackers use PowerShell or CertUtil to download their arsenal from a staging server.
To gain full control, they employ publicly known privilege escalation exploits like “EfsPotato” and “BadPotato” to create new administrator-level user accounts on the server.
These rogue accounts provide persistent access, ensuring the attackers can maintain control even if their primary backdoors are discovered and removed.
The group’s toolkit also includes other custom utilities, such as “Zunput,” a tool that scans the server for active websites and drops multiple webshells to provide alternative methods of remote access.
The shared code libraries and infrastructure across these tools allowed ESET to cluster the activity and attribute it to a single group.
While the immediate impact on website visitors is minimal, participation in the SEO fraud scheme can severely damage the compromised host’s reputation by associating it with black-hat SEO tactics.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
