Cisco Talos’ team has detected the operations of a hacker group, DragonRank, which uses sophisticated malware techniques and black hat SEO tools to manipulate search engine results.
DragonRank exploits the services of victims’ web applications to deploy a system shell, which it then uses to gather system data and run malicious software, such as PlugX and BadIIS. Their PlugX not only utilizes established side-loading (DLL) techniques but also uses the SEH protocol to ensure that genuine files can load software without arousing suspicion.
Cisco Talos researchers confirmed that over 35 IIS servers have been breached, leading to the deployment of malicious software in various geographical regions, including Thailand, India, Korea, Belgium, the Netherlands, and China.
New Player in the Field
One of DragonRank’s primary activities is black hat SEO, which optimizes a website using unethical practices. The group forges search engine algorithms by manipulating keywords to enhance the visibility of pages. Consequently, they direct user traffic to their infected pages, which often contain harmful content such as pornography.
According to Cisco Talos, DragonRank is relatively new in the black hat SEO industry, having previously specialized in targeted attacks and penetration testing. During their campaign, offenders breach servers by exploiting vulnerabilities in web applications such as phpMyAdmin and WordPress. Once they gain server access, they deploy a web shell, which affords them control over the system and a means to further escalate their actions.
Operations Methods
DragonRank stands out against other hacker groups with its strategy. Traditional black hat SEO groups endeavor to seize as many servers as possible to manipulate search engine results. Conversely, DragonRank focuses on lateral movement and privilege escalation within targeted networks. Their primary goal is to infiltrate additional servers within the network and maintain control over them.
DragonRank combines SEO activities with the use of malicious software. In the campaign, two main tools are used: PlugX and BadIIS. PlugX is a backdoor-type malware that allows hackers remote access and control over the infected system. Moreover, they employ DLL techniques to best camouflage their actions and minimize the risk of detection. PlugX enables hackers to manipulate the system and further escalate actions such as system data and credential harvesting using tools like Mimikatz.
Cisco Talos traced a website and communication accounts, whereby they determined that the hackers are using Chinese. Moreover, as per information shared via Telegram, there’s a high probability that the group is based in Thailand. Their use of the Chinese language could indicate links to Chinese cybercrime groups, as the malware they frequently use in their operations is commonly utilized by Chinese hacker groups.
In turn, BadIIS malware serves to manipulate search engine bots and hyperlinks, thus allowing DragonRank to cheat search results and artificially raise or lower page rankings. Infected IIS servers are used as proxy servers, enabling communication between infected hosts and command and control (C2) servers. This allows DragonRank to effectively manipulate search results by promoting client content or tarnishing the reputations of competing sites.
(Not) Harmful Marketing
DragonRank also operates commercially, offering white hat SEO services. The group touts their services on platforms like Telegram and QQ, allowing clients to contact them and carry out illegal transactions. They seemingly offer high-quality, customized customer service, as clients can provide keywords and pages they want to promote, and DragonRank develops a strategy tailored to their needs. The group stands out with its personalized approach, offering a wide range of black hat and white hat SEO services, providing marketing strategies tailored to specific markets.
DragonRank combines malicious software with illegal marketing activities, making their operations especially harmful. Their activities aim to both promote fake content and conduct damaging SEO practices, presenting a serious threat to companies and internet users.
Source: https://managerplus.pl/cisco-talos-grupa-hakerow-z-chin-manipuluje-wynikami-wyszukiwarek-internetowych-55912