SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

for jan

New China-aligned crew poisons Windows servers for SEO fraud [theregister.com]:

A new China-aligned cybercrime crew named GhostRedirector has compromised at least 65 Windows servers worldwide - spotted in a June internet scan - using previously undocumented malware to juice gambling sites' rankings in Google search, according to ESET researchers.

The infections began in December, although other related malware samples indicate the group has been active since at least August 2024, the security firm's threat intel team noted.

GhostRedirector uses a variety of custom tools, including two never-seen-before pieces of malware that the researchers dubbed Rungan, which is a passive C++ backdoor, and Gamshen, a malicious Internet Information Services (IIS) trojan that manipulates Google search results for Search Engine Optimization (SEO) fraud.

The victim sites then show versions of their web pages to Googlebot that would help certain gambling sites gain rank. For example, they may include fake backlinks to those gambling domains, fooling everyone's favorite search engine into thinking that those sites are highly recommended by others.

While most of the infected servers are in Brazil, Peru, Thailand, Vietnam, and the US, "we believe that GhostRedirector was more interested in targeting victims in South America and South Asia," malware researcher Fernando Tavella said [welivesecurity.com] in a Thursday report. Plus, he added, the gang doesn't appear to target a particular sector with victims from this campaign including education, healthcare, insurance, transportation, technology, and retail organizations.

The researchers suspect the criminals gained initial access by exploiting a probable SQL injection bug. They then used PowerShell to download Windows privilege escalation tools, droppers, and the two final payloads, Rungan and Gamshen, all from the same server: 868id[.]com

ESET estimates the privilege escalation tools are based on public EfsPotato and BadPotato exploits — these potato-family escalation tools [theregister.com] are popular among Chinese-speaking hackers — and notes that some samples were validly signed with a code-signing certificate issued by TrustAsia RSA Code Signing CA G3, to Shenzhen Diyuan Technology.

These tools create or modify a user account on the compromised server and add it to the administrators group, which ensures the attackers can continue to execute privileged operations on the infected machine.

• Typhoon-adjacent Chinese crew broke into Taiwanese web host [theregister.com]
• Crims defeat human intelligence with fake AI installers they poison with ransomware [theregister.com]
• Crims claim HexStrike AI penetration tool makes quick work of Citrix bugs [theregister.com]
• It looks like you're ransoming data. Would you like some help? [theregister.com]

Also among these tools: Comdai, another custom library that performs a bunch of backdoor-like capabilities, including network communication, admin-user creation, file execution, directory listing, and manipulating services and Windows registry keys.

During these attacks, ESET also documented another custom website information collector and dropper the team used named Zunput. It checks for active websites capable of executing dynamic content, and collects information about them, including physical path on the server, site name, IP address, and hostname, before dropping a webshell.

And finally, the attackers drop Rungan and Gamshen payloads. Rungan executes a series of backdoor commands on the compromised server, while Gamshen enables SEO fraud as-a-service. This particular operation appears to boost gambling sites' rankings by modifying responses only for Googlebot — benefiting a third-party site that's potentially a paying client, per ESET.

"The response is modified based on data requested dynamically from Gamshen's C&C server," Tavella wrote. "By doing this, GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website, by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website." ®

Get ourTech Resources [theregister.com]ShareMore about

• China
• Cybercrime
• Eset

More like these×More about

• China
• Cybercrime
• Eset
• Security

Narrower topics

• 2FA
• Advanced persistent threat
• Application Delivery Controller
• Authentication
• BEC
• Black Hat
• BSides
• Bug Bounty
• CHERI
• China Mobile
• China telecom
• China Unicom
• CISO
• Common Vulnerability Scoring System
• Cybersecurity
• Cybersecurity and Infrastructure Security Agency
• Cybersecurity Information Sharing Act
• Cyberspace Administration of China
• Data Breach
• Data Protection
• Data Theft
• DDoS
• DEF CON
• Digital certificate
• Encryption
• End Point Protection
• Exploit
• Firewall
• Great Firewall
• Hacker
• Hacking
• Hacktivism
• Hong Kong
• Identity Theft
• Incident response
• Information Technology and the People's Republic of China
• Infosec
• Infrastructure Security
• JD.com
• Kenna Security
• NCSAM
• NCSC
• Palo Alto Networks
• Password
• Personally Identifiable Information
• Phishing
• Quantum key distribution
• Ransomware
• Remote Access Trojan
• REvil
• RSA Conference
• Semiconductor Manufacturing International Corporation
• Shenzhen
• Spamming
• Spyware
• Surveillance
• TLS
• Trojan
• Trusted Platform Module
• Uyghur Muslims
• Vulnerability
• Wannacry
• Zero trust

Broader topics

• APAC

More about ShareMore about

• China
• Cybercrime
• Eset

More like these×More about

• China
• Cybercrime
• Eset
• Security

Narrower topics

• 2FA
• Advanced persistent threat
• Application Delivery Controller
• Authentication
• BEC
• Black Hat
• BSides
• Bug Bounty
• CHERI
• China Mobile
• China telecom
• China Unicom
• CISO
• Common Vulnerability Scoring System
• Cybersecurity
• Cybersecurity and Infrastructure Security Agency
• Cybersecurity Information Sharing Act
• Cyberspace Administration of China
• Data Breach
• Data Protection
• Data Theft
• DDoS
• DEF CON
• Digital certificate
• Encryption
• End Point Protection
• Exploit
• Firewall
• Great Firewall
• Hacker
• Hacking
• Hacktivism
• Hong Kong
• Identity Theft
• Incident response
• Information Technology and the People's Republic of China
• Infosec
• Infrastructure Security
• JD.com
• Kenna Security
• NCSAM
• NCSC
• Palo Alto Networks
• Password
• Personally Identifiable Information
• Phishing
• Quantum key distribution
• Ransomware
• Remote Access Trojan
• REvil
• RSA Conference
• Semiconductor Manufacturing International Corporation
• Shenzhen
• Spamming
• Spyware
• Surveillance
• TLS
• Trojan
• Trusted Platform Module
• Uyghur Muslims
• Vulnerability
• Wannacry
• Zero trust

Broader topics

• APAC

TIP US OFF

Send us news [theregister.com]

Original Submission