DragonRank Unethical SEO Scheme Targeting IIS Servers Throughout Asia and Europe
A recent campaign involving an individual proficient in simplified Chinese has been associated with a new program that has focused on various nations across Asia and Europe to manipulate search engine optimization (SEO) standings.
The unscrupulous SEO operation has been named DragonRank by the experts at Cisco Talos, with targets in countries such as Thailand, India, Korea, Belgium, the Netherlands, and China.
“DragonRank leverages the vulnerabilities in targets’ web app services to plant a web shell, which is then used to gather system details and introduce malicious software like PlugX and BadIIS, running different tools to harvest credentials,” remarked security researcher Joey Chen explained.
These attacks have resulted in the compromise of 35 Internet Information Services (IIS) servers with the intention of deploying the BadIIS malware, a threat previously documented by ESET in August 2021.
The malware is specifically crafted to facilitate proxy ware and SEO deception by transforming the compromised IIS server into an intermediary for illicit communications between the customers (i.e., other threat actors) and their victims.
Furthermore, it can alter the content presented to search engines to manipulate their algorithms and enhance the ranking of specific websites of interest to the perpetrators.
“An unexpected aspect of the investigation is the versatility of IIS malware, and the discovery of a criminal scheme involving SEO deception, where the malware is abused to manipulate search engine algorithms and assist in boosting the popularity of third-party websites,” shared security researcher Zuzana Hromcova stated to The Hacker News previously.
The recent wave of attacks highlighted by Talos encompasses a wide range of industries, including but not limited to jewelry, media, research, healthcare, video production, manufacturing, transportation, religious organizations, IT services, international relations, agriculture, sports, and feng shui.
The sequence of attacks initiates by exploiting known security vulnerabilities in web applications such as phpMyAdmin and WordPress to deploy the open-source ASPXspy web shell, which serves as a conduit for introducing additional tools into the victim’s environment.
The primary aim of the operation is to infiltrate the IIS servers hosting corporate sites, using them to integrate the BadIIS malware and repurpose them as a base for illicit activities by incorporating keywords related to explicit content.
Another notable feature of the malware is its ability to pose as the Google search engine crawler in its User-Agent string when communicating with the command-and-control (C2) server, enabling it to evade certain website security measures.
“The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website’s ranking in search results,” Chen clarified. “They engage in these attacks to direct traffic to malicious sites, enhance the visibility of fraudulent content, or disrupt competitors by unfairly boosting or lowering rankings.”
One distinctive aspect of DragonRank compared to other unethical SEO cybercrime syndicates is its approach to infiltrating additional servers within the target’s network and maintaining control over them using PlugX, a common backdoor utilized by Chinese threat actors, and various credential-stealing tools like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.
Despite the PlugX malware employed in the attacks relying on DLL side-loading techniques, the loader DLL responsible for initiating the encrypted payload employs the Windows Structured Exception Handling (SEH) mechanism to ensure that the genuine file (i.e., the binary amenable to DLL side-loading) can load the PlugX without setting off any alarms.
Findings by Talos indicate that the threat actor maintains a presence on Telegram under the pseudonym “tttseo” and utilizes the QQ instant messaging app to facilitate illicit business dealings with clients who pay for their services.
“These adversaries also provide what appears to be high-quality customer service, tailoring promotional strategies to suit their clients’ needs,” added Chen.
“Customers submit the keywords and websites they want to promote, and DragonRank devises a strategy customized to these requirements. The group excels in tailoring promotions to specific regions and languages, ensuring a personalized and comprehensive approach to online marketing.”
About Author
