Multiple SAP Products Vulnerabilities
September 12, 2024Multiple Dell PowerScale InsightIQ Vulnerabilities
September 12, 2024Multiple SAP Products Vulnerabilities
September 12, 2024Multiple Dell PowerScale InsightIQ Vulnerabilities
September 12, 2024Severity
High
Analysis Summary
A new operation aimed at manipulating search engine optimization (SEO) ranks across several Asian and European countries has been connected to a simplified Chinese-speaking actor.
Researchers have dubbed this black hat SEO cluster DragonRank, and its victimology is dispersed over China, Thailand, India, Korea, Belgium, and the Netherlands. DragonRank uses the web application services of its targets as an exploit to create a web shell, which it then uses to gather system data, start malware like PlugX and BadIIS, and execute several tools that harvest credentials.
35 Internet Information Services (IIS) servers have been compromised as a result of the attacks, to install the BadIIS malware—which researchers initially reported on in August 2021—on them. Its purpose is to use the compromised IIS server as a conduit for malicious communications between its clients, or other threat actors, and their victims to enable proxy ware and SEO fraud.
Additionally, it can alter the information that is provided to search engines to trick search engine algorithms and raise the ranking of other websites that the attackers find interesting. The versatility of IIS malware and the discovery of an illegal SEO fraud operation, in which malware is used to manipulate search engine algorithms and enhance the reputation of third-party websites, are two of the investigation's most startling findings.
The most recent wave of attacks exposed by researchers targets a wide range of industry verticals, such as manufacturing, transportation, international affairs, feng shui, jewelry, media, research services, healthcare, video and television production, and religious and spiritual organizations. The attack chains start by dropping the open-source ASPXspy web shell into the targets' environment by taking advantage of vulnerabilities in online apps such as phpMyAdmin and WordPress. This web shell then serves as a conduit to introduce other tools into the targets' environment.
The campaign's main goal is to infiltrate the corporate website-hosting IIS servers, use them maliciously to install the BadIIS malware, and then effectively use them as a springboard for scams. The malware's ability to pass off its User-Agent string as the Google search engine crawler when it transfers the connection to the command-and-control (C2) server is another noteworthy feature that enables it to get beyond some website security measures.
By manipulating or taking advantage of search engine algorithms, the threat actor uses SEO manipulation to raise a website's position in search results. These attacks are carried out to disrupt competitors by manipulating search engine rankings, increasing the visibility of false information, or driving visitors to hostile websites. DragonRank sets itself apart from other black hat SEO cybercrime groups in part because of the way it uses PlugX, a backdoor that Chinese threat actors frequently share, and a variety of credential-harvesting tools like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato to try and compromise more servers within the target's network and keep control over them.
The loader DLL that launches the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism even though the PlugX malware used in the attacks relies on DLL side-loading techniques. This is done to try and make sure that the legitimate file, or the binary that is vulnerable to DLL side-loading, can load the PlugX without raising any red flags. The threat actor continues to be active on QQ, an instant messaging service, and Telegram to conduct illicit business with customers.
These cybercriminals likewise appear to provide high-quality customer service, customizing marketing strategies to best meet the requirements of their customers. Clients can enter the websites and keywords they want to promote, and DragonRank will create a plan based on these details. The threat group also specializes in directing promotions toward particular nations and languages, guaranteeing a thorough and personalized approach to Internet marketing.
Impact
- Credential Theft
- Information Theft
- Cyber Espionage
- Security Bypass
Indicators of Compromise
Domain Name
- mail.tttseo.com
IP
- 202.162.108.48
- 154.23.179.133
MD5
- e9194bd20e9bd6f6f5e572796514b285
- 7d8c5f7d684971923fc11d0033bef90d
- ad7e5df7a54b38176476cdc545129d41
- f2047fae637746ef4d7a4d2f81c2894f
- 7968fb0f54637e2fa745ed5410fc6886
- 12d03e7790a534a20984ffcef967b261
- 07b2dd4a339e7ba579362de606dc9411
- a17ea49b998508ef9be7a087c33784bc
- 8dc8cd05a1a8edc53b6ef7779751bfc2
- 4d0e8e3c38d77f80519e4a46a5a6c389
SHA-256
- 72fc4ba4d8e9a7b11fa0b76611e85b7aaf3558ac08dc8e9628fad48d72fb8190
- 9277f848a5348e447e02cf94beae392815a235264443fdd69a3ff6eb48f040a8
- ffa94d76d4423e43a42c7944c512e1a71827a89ad513d565f82eb8fe374ef74d
- 3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb
- 614920f1a8550070a983f2ad22d6358c6742a9e02802b025eeea8db8c3d41fb7
- 3f17c66aab154212fb02fc7e329296c233aebe4abd9248204fa99c490c113a6e
- 8251189e8b596743683f2ab2d731eb19efe3e4e28ac5c100ea88cfdc36aeeac8
- 875239000f22cff75f62f9a1aa9924a8c3fea72124b0c4b31c7b3814f9dc0601
- c41587c393741e78b678f1fc3d7934859a306c4cc4c0b02ca08d596289caeff4
- cdc9f18de75991e7b289ab26b32dca9f4de6f95f88a6d3d32c87a111c4dc4d18
SHA-1
- 43e00adbbc09e4b65f09e81e5bd2b716579a6a61
- ab7ebc82930e69621d9bccb6698928f4a3719d29
- 75e3e83511ce6d400902e5a8320db9a3f3d26e44
- 75245e8bdd4884016915ba0ff0c94940342379bc
- 8b921434de690d153c4c4cdf21d390fc85f0d4f0
- 76f71a7c14efaa957d945aeeea130e64ef31390e
- 1ea91cb532dcfc55e1c4c62a62c0ccb97627d924
- 2d0051751af7992778e0c3cac90b1e6bea9272ca
- 9eccf2e0ab48f799aecd5ebe227d86a7723dcca3
- 695ed42d15d7bb33a5f4f7c0f93908f97be14d0a
URL
- https://admin1.tttseo.com/ht.zip
- http://ddos.tttseo.com/ddos/ddos.zip
- http://a.googie.pw/xx1.php
- http://a.googie.pw/zz1.php
- http://b.googie.pw/xx1.php
- http://b.googie.pw/zz1.php
- http://web.googie.pw/xx1.php
- http://web.googie.pw/zz1.php
- http://www.ig26.com/xx1.php
- http://www.ig26.com/zz1.php
- http://www.googie.pw/xx1.php
- http://www.googie.pw/zz1.php
- http://www.yx52.pw/xx1.php
- http://www.yx52.pw/zz1.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.