“Simplified Chinese speaking attackers” have been linked to a new attack campaign targeting multiple countries in Asia and Europe with the ultimate goal of manipulating search engine optimization (SEO) rankings.
The code name for the Black Hat SEO Cluster is Dragon Rank Attributed to Cisco Talos, the victim trail spans Thailand, India, South Korea, Belgium, the Netherlands and China.
“DragonRank exploits targeted web application services to deploy web shells that are used to gather system information, launch malware such as PlugX and BadIIS, and run a variety of credential harvesting utilities,” said security researcher Joey Chen.
The attack compromised 35 Internet Information Services (IIS) servers, with the ultimate goal being to deploy the BadIIS malware, which was first documented by ESET in August 2021.
It is specifically designed to facilitate proxyware and SEO fraud by turning a compromised IIS server into a relay point for malicious communications between its customers (i.e. other threat actors) and the victim.
Additionally, attackers can modify the content served to search engines in order to manipulate the search engine algorithms and boost the rankings of other websites of interest to them.
“One of the most surprising things about this research is the versatility of IIS malware and the (detection) of an SEO fraud scheme that uses malware to manipulate search engine algorithms to boost the reputation of third-party websites,” security researcher Zuzana Hromkova told Hacker News at the time.
The latest wave of attacks uncovered by Talos spans a wide range of industries, including jewelry, media, investigative services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.
The attack chain begins by exploiting known security flaws in web applications such as phpMyAdmin and WordPress to drop the open source ASPXspy web shell, which then serves as a conduit to introduce additional tools into the target environment.
The main goal of this attack is to compromise IIS servers hosting corporate websites and exploit them to embed the BadIIS malware, effectively reusing them as launch pads for fraudulent activity using pornography and sex-related keywords.
Another important feature of this malware is its ability to pose as a Google search engine crawler in the User-Agent string when relaying connections to its command and control (C2) servers, allowing it to circumvent some website security measures.
“Threat actors engage in SEO manipulation by modifying or exploiting search engine algorithms to improve a website’s ranking in search results,” Chen explained. “They carry out these attacks to drive traffic to malicious sites, increase the visibility of deceptive content, or confuse competitors by artificially raising or lowering their rankings.”
A key aspect that sets DragonRank apart from other blackhat SEO cybercrime groups is its use of PlugX, a backdoor widely shared by Chinese threat actors, as well as a variety of credential harvesting programs such as Mimikatz, PrintNotifyPotato, BadPotato and GodPotato, to compromise and maintain control over additional servers within target networks.
The PlugX malware used in the attack relies on DLL side-loading technique, but the loader DLL that launches the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism to allow legitimate files (i.e. binaries susceptible to DLL side-loading) to load PlugX without triggering any alarms.
Evidence discovered by Talos indicates that the threat actor continues to have a presence on Telegram under the handle “tttseo,” and is using the QQ instant messaging application to facilitate illicit commercial transactions with paying customers.
“These rivals also customize promotional offers to best suit customers’ needs and appear to offer better customer service,” Chen added.
“Customers can submit the keywords and websites they wish to promote, and DragonRank will develop a strategy to suit these specifications. The group also specializes in targeting promotion to specific countries and languages, ensuring a customized and comprehensive approach to online marketing.”