The “Simplified Chinese-speaking actor” has been linked to a new company targeting several countries in Asia and Europe with the ultimate goal of performing search engine optimization (SEO) with a ranking.
The black hat SEO cluster has been codenamed DragonRank from Cisco Talos, with a victimological trail scattered across Thailand, India, Korea, Belgium, the Netherlands and China.
“DragonRank uses the target’s web application services to deploy a web shell and uses it to collect system information and launch malware such as PlugX and BadIIS, which work with various credential harvesting utilities,” security researcher Joey Chen said.
The attacks led to the compromise of 35 Internet information services (IIS) servers with the ultimate goal of deploying the BadIIS malware, which was first documented by ESET in August 2021.
It is specifically designed to facilitate proxy and SEO fraud by turning a compromised IIS server into a relay point for malicious communications between clients (ie other threat actors) and their victims.
In addition, it can modify the content submitted to search engines to manipulate search engine algorithms and increase the ranking of other sites of interest to attackers.
“One of the most surprising aspects of the investigation is how versatile the IIS malware is and (the discovery of) a criminal SEO fraud scheme where the malware abuses the manipulation of search engine algorithms and helps boost the reputation of third-party websites.” – researcher Zuzana Khromtsova told Hacking news of the time.
The latest series of attacks covered by Talos cover a wide range of industries, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.
Attack chains begin by exploiting known security flaws in web applications such as phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then acts as a conduit to inject additional tools into the target’s environment.
The campaign’s primary goal is to compromise IIS servers hosting corporate websites, use them to implant BadIIS malware, and effectively repurpose them as launching pads for scams using porn and sex-related keywords.
Another important aspect of the malware is its ability to disguise itself as a Google search engine scanner in the User-Agent line when it relays a connection to a command-and-control (C2) server, allowing it to bypass some website security measures.
“A threat actor engages in SEO manipulation by changing or exploiting search engine algorithms to improve a website’s search engine ranking,” Chen explained. “They carry out these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or lowering rankings.”
One important way DragonRank differentiates itself from other SEO cybercriminal groups is that it attempts to hack additional servers on the target network and maintain control over them using PlugX, a backdoor widely used by Chinese threat actors, and various credential harvesters. such as Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.
Although the PlugX malware used in the attacks relies on DLL sideloading methodsThe DLL loader responsible for running the encrypted payload uses Windows’ Structured Exception Handling (SEH) mechanism in an attempt to ensure that a legitimate file (ie a binary susceptible to DLL sideloading) can be loaded by PlugX without raising any alarms .
Evidence found by Talos indicates that a threat actor maintains a presence on Telegram under the handle “tcceo” and the QQ instant messaging app to facilitate illegal business transactions with paying customers.
“These adversaries also offer seemingly superior customer service, tailoring advertising plans to suit their customers’ needs,” Chen added.
“Clients can provide keywords and websites they want to promote, and DragonRank develops a strategy to fit those specifications. The group also specializes in targeting promotions to specific countries and languages, providing a customized and integrated approach to Internet marketing.’
