Chinese hackers target Windows servers with SEO poisoning campaign

Security padlock and circuit board to protect data

(Image credit: Getty Images)

Hackers are taking advantage of vulnerable servers to take over websites, and use them to steal people’s credentials, deploy malware, and more.

A report from Cisco Talos, who have been tracking the activity for some time now, revealed the group would first seek out vulnerable web application services such as phpMyAdmin, WordPress, or similar. Then, they would use the vulnerabilities to deploy a web shell which grants them control over the server.

Finally, the web shell allows them to collect system information, or deploy additional malware such as PlugX, or BadIIS, or to run different infostealers such as Mimikatz, GodPotato, and others. To get people to visit the infected websites, the group uses SEO poisoning, pushing the sites higher up on search engine results pages.

DragonRank

The researchers are dubbing the new threat “DragonRank”. They believe the group is targeting mostly organizations in Asia, with a few victims found in Europe, as well. So far, the malware was spotted in Thailand, India, Korea, Belgium, the Netherlands, and China.

The victims come from all sorts of industries, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and even niche markets like feng shui.

All of this leads the researchers to conclude that DragonRank doesn’t really have a particular target and just looks to compromise as many organizations as possible.

So far, more than 35 IIS servers were compromised, and deployed the BadIIS malware, the researchers concluded. BadIIS was first discovered in 2020, and it acts as a backdoor that grants unauthorized access to compromised servers. One of its key features is stealth, since it uses advanced techniques to evade detection.

Since the group has a commercial website, a business model, and instant message accounts, the researchers concluded that the group is most likely of Chinese origin.

More from TechRadar Pro

SEO poisoning and VPN spoofing used to target anything and everything with WikiLoader malware
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.