A “simplified Chinese-speaking actor” has been associated with a recent campaign targeting multiple countries in Asia and Europe with the main goal of manipulating search engine optimization (SEO) rankings.
The malicious SEO campaign has been given the name DragonRank by Cisco Talos, affecting victims in various countries including Thailand, India, Korea, Belgium, the Netherlands, and China.
According to security researcher Joey Chen, “DragonRank exploits targets’ web application services to deploy a web shell, collecting system information and deploying malware like PlugX and BadIIS, along with credential-harvesting utilities.”
These attacks have resulted in compromising 35 Internet Information Services (IIS) servers to deploy the BadIIS malware, as initially reported by ESET in August 2021.
This malware is specifically designed to aid in proxy ware and SEO fraud by transforming compromised IIS servers into relay points for malicious activities between threat actors and their victims.
In addition, it manipulates content served to search engines to influence algorithms and boost the rankings of specific websites favored by the attackers.
Security researcher Zuzana Hromcova highlighted, “The investigation uncovers the versatility of IIS malware and the SEO fraud scheme, where malware is exploited to manipulate search engine algorithms and enhance the reputation of third-party websites.”
The recent attacks observed by Talos span across various industries such as jewelry, media, research services, healthcare, video production, manufacturing, transportation, religious organizations, IT services, international affairs, agriculture, sports, and feng shui.
The attack chain starts by exploiting known vulnerabilities in web applications like phpMyAdmin and WordPress to introduce the ASPXspy web shell, which then acts as a gateway for additional tools into the victims’ systems.
The primary goal of the campaign is to compromise IIS servers hosting corporate websites to install the BadIIS malware, using keywords related to explicit content for scam operations.
Moreover, the malware can impersonate the Google search engine crawler to bypass website security measures when connecting to the command-and-control (C2) server.
According to Chen, “The threat actor engages in SEO manipulation by altering search engine algorithms to promote a website’s ranking, driving traffic to malicious sites, and increasing visibility of fraudulent content.”
One notable feature of DragonRank is its method of breaching additional servers in the target network using PlugX and credential-harvesting programs like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.
Even though the PlugX malware uses DLL side-loading techniques in the attacks, it employs the Windows Structured Exception Handling (SEH) mechanism to load the malware without raising alarms.
Evidence suggests that the threat actor communicates on Telegram under the handle “tttseo” and the QQ instant messaging app for illegal transactions with clients.
Chen added, “These adversaries provide quality customer service tailored to their clients’ needs, offering personalized promotional plans and targeting specific countries and languages for online marketing.”
