The most recent wave of attacks exposed by researchers targets a wide range of industry verticals, such as manufacturing, transportation, international affairs, feng shui, jewelry, media, research services, healthcare, video and television production, and religious and spiritual organizations. The attack chains start by dropping the open-source ASPXspy web shell into the targets' environment by taking advantage of vulnerabilities in online apps such as phpMyAdmin and WordPress. This web shell then serves as a conduit to introduce other tools into the targets' environment.

The campaign's main goal is to infiltrate the corporate website-hosting IIS servers, use them maliciously to install the BadIIS malware, and then effectively use them as a springboard for scams. The malware's ability to pass off its User-Agent string as the Google search engine crawler when it transfers the connection to the command-and-control (C2) server is another noteworthy feature that enables it to get beyond some website security measures.

By manipulating or taking advantage of search engine algorithms, the threat actor uses SEO manipulation to raise a website's position in search results. These attacks are carried out to disrupt competitors by manipulating search engine rankings, increasing the visibility of false information, or driving visitors to hostile websites. DragonRank sets itself apart from other black hat SEO cybercrime groups in part because of the way it uses PlugX, a backdoor that Chinese threat actors frequently share, and a variety of credential-harvesting tools like Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato to try and compromise more servers within the target's network and keep control over them.

The loader DLL that launches the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism even though the PlugX malware used in the attacks relies on DLL side-loading techniques. This is done to try and make sure that the legitimate file, or the binary that is vulnerable to DLL side-loading, can load the PlugX without raising any red flags. The threat actor continues to be active on QQ, an instant messaging service, and Telegram to conduct illicit business with customers.

These cybercriminals likewise appear to provide high-quality customer service, customizing marketing strategies to best meet the requirements of their customers. Clients can enter the websites and keywords they want to promote, and DragonRank will create a plan based on these details. The threat group also specializes in directing promotions toward particular nations and languages, guaranteeing a thorough and personalized approach to Internet marketing.

Impact

• Credential Theft
• Information Theft
• Cyber Espionage
• Security Bypass

Indicators of Compromise

Domain Name

• mail.tttseo.com

IP

• 202.162.108.48
• 154.23.179.133

MD5

• e9194bd20e9bd6f6f5e572796514b285
• 7d8c5f7d684971923fc11d0033bef90d
• ad7e5df7a54b38176476cdc545129d41
• f2047fae637746ef4d7a4d2f81c2894f
• 7968fb0f54637e2fa745ed5410fc6886
• 12d03e7790a534a20984ffcef967b261
• 07b2dd4a339e7ba579362de606dc9411
• a17ea49b998508ef9be7a087c33784bc
• 8dc8cd05a1a8edc53b6ef7779751bfc2
• 4d0e8e3c38d77f80519e4a46a5a6c389

SHA-256

• 72fc4ba4d8e9a7b11fa0b76611e85b7aaf3558ac08dc8e9628fad48d72fb8190
• 9277f848a5348e447e02cf94beae392815a235264443fdd69a3ff6eb48f040a8
• ffa94d76d4423e43a42c7944c512e1a71827a89ad513d565f82eb8fe374ef74d
• 3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb
• 614920f1a8550070a983f2ad22d6358c6742a9e02802b025eeea8db8c3d41fb7
• 3f17c66aab154212fb02fc7e329296c233aebe4abd9248204fa99c490c113a6e
• 8251189e8b596743683f2ab2d731eb19efe3e4e28ac5c100ea88cfdc36aeeac8
• 875239000f22cff75f62f9a1aa9924a8c3fea72124b0c4b31c7b3814f9dc0601
• c41587c393741e78b678f1fc3d7934859a306c4cc4c0b02ca08d596289caeff4
• cdc9f18de75991e7b289ab26b32dca9f4de6f95f88a6d3d32c87a111c4dc4d18

SHA-1

• 43e00adbbc09e4b65f09e81e5bd2b716579a6a61
• ab7ebc82930e69621d9bccb6698928f4a3719d29
• 75e3e83511ce6d400902e5a8320db9a3f3d26e44
• 75245e8bdd4884016915ba0ff0c94940342379bc
• 8b921434de690d153c4c4cdf21d390fc85f0d4f0
• 76f71a7c14efaa957d945aeeea130e64ef31390e
• 1ea91cb532dcfc55e1c4c62a62c0ccb97627d924
• 2d0051751af7992778e0c3cac90b1e6bea9272ca
• 9eccf2e0ab48f799aecd5ebe227d86a7723dcca3
• 695ed42d15d7bb33a5f4f7c0f93908f97be14d0a

URL

• https://admin1.tttseo.com/ht.zip
• http://ddos.tttseo.com/ddos/ddos.zip
• http://a.googie.pw/xx1.php
• http://a.googie.pw/zz1.php
• http://b.googie.pw/xx1.php
• http://b.googie.pw/zz1.php
• http://web.googie.pw/xx1.php
• http://web.googie.pw/zz1.php
• http://www.ig26.com/xx1.php
• http://www.ig26.com/zz1.php
• http://www.googie.pw/xx1.php
• http://www.googie.pw/zz1.php
• http://www.yx52.pw/xx1.php
• http://www.yx52.pw/zz1.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.