DragonRank, a Chinese-speaking hacking group, has compromised 30+ Windows servers globally. They exploit IIS vulnerabilities to govern search engine marketing rankings, distribute rip-off web sites, and unfold malware like PlugX and BadIIS.

A Chinese-speaking hacking group, referred to as “DragonRank,” has been found compromising over 30 Windows servers throughout the globe, together with in Thailand, India, Korea, Belgium, Netherlands, and China.

The group’s major purpose is to govern search engine crawlers and disrupt the Search Engine Optimization (search engine marketing) of affected websites, finally distributing rip-off web sites to unsuspecting customers.

How the Attack Works

The DragonRank hacking group beneficial properties preliminary entry to Windows Internet Information Services (IIS) servers by exploiting vulnerabilities in internet software companies, similar to phpMyAdmin, WordPress, or comparable internet functions. Once they get hold of the power to execute distant code or add recordsdata on the focused website, they deploy an online shell like ASPXspy, granting them management over the compromised server.

According to Cisco Talos’ lengthy and technical report shared with Hackread.com forward of publishing on Tuesday, the group then makes use of the online shell to gather system info and launch malware, together with PlugX and BadIIS, in addition to credential-harvesting utilities like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato. They additionally breach further Windows IIS servers within the goal’s community, both via internet shell deployment or by exploiting distant desktop logins utilizing acquired credentials.

For your info, PlugX is a widely known RAT (distant entry device) outfitted with modular plugins and property configurations, deployed by numerous Chinese-speaking cyber menace actors for over ten years. The PlugX configuration on this marketing campaign comprises all essential values and data to correctly run the executable.

On the opposite hand, BadIIS is a malware used to govern search engine crawlers and hyperlink jumps. The model of BadIIS detected on this marketing campaign shares comparable traits with the one talked about (PDF) at Black Hat USA 2021, together with configuration as an IIS proxy and capabilities for search engine marketing fraud.

Interestingly, researchers additionally famous that DragonRank operates very similar to a enterprise, with a business web site providing their companies in each Chinese and English. They interact with shoppers via platforms like Telegram and QQ, offering tailor-made search engine marketing fraud companies. Their enterprise mannequin features a cautionary be aware about transaction confirmations, suggesting they function with a degree of professionalism unusual in typical cybercrime teams.

Nevertheless, the DragonRank hacking group’s actions are a menace to on-line safety, as they’ll drive site visitors to malicious websites, improve the visibility of fraudulent content material, or disrupt rivals by artificially inflating or deflating rankings.

These assaults can hurt an organization’s on-line presence, result in monetary losses, and harm its status by associating the model with misleading or dangerous practices. Therefore, companies and IT departments should:

• Use Advanced Threat Detection: Implement options that may detect and reply to classy malware like PlugX.
• Regularly Update Security Measures: Ensure all methods, particularly internet servers, are patched towards identified vulnerabilities.
• Monitor Network Traffic: Look for uncommon outbound connections or adjustments in server habits that may point out malware like BadIIS.
• Educate Staff: Awareness coaching on cyber threats can assist in early detection of phishing or different social engineering makes an attempt.

1. Chinese SMS Phishing Group Hits iPhone Users in India Post Scam
2. ValleyRAT Malware Targets Chinese Windows Users in New Attack
3. Chinese Velvet Ant APT Target F5 Devices in Years-Long Espionage
4. “Unfading Sea Haze” Hackers Hit Military Targets in South China Sea
5. Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage