Cybercrime
,
Fraud Management & Cybercrime
GhostRedirector Compromising Windows Servers in Brazil, Thailand and Vietnam
A suspected Chinese cybercrime group is deploying custom malware to compromise Windows servers in Brazil, Thailand, Portugal and Vietnam as part of search engine optimization fraud to promote gambling websites.
See Also: Why Cyberattackers Love ‘Living Off the Land’
Security firm Eset, which uncovered the campaign, attributed it to a previously unseen group that it dubbed GhostRedirector. The campaign, active since December 2024, deploys a C++ backdoor named Rungan and a malicious internet information services module called Gamwshen to promote gambling websites – at least in one case, a gambling application geared toward Portuguese speaking users.
The researchers said GhostRedirector attributed the campaign with medium confidence to a China-aligned threat actor. The threat actor has compromised 65 Windows servers, so far.
Attacks begin with hackers carrying out SQL injection to gain initial access. Hackers deploy PowerShell scripts to download additional tools, including the EfsPotato and BadPotato exploits for privilege escalation. Hackers change the password of an existing user account and attempt to add it to the administrators group or, in some cases, create a new administrator user altogether, Eset researchers said.
They use another utility, Zunput, to scan Windows Internet Information Services configurations to gather details such as physical paths, IP addresses and hostnames. “Once the information is collected, Zunput checks for the existence of the physical path on the server and verifies that the directory contains at least one file. This way, Zunput only targets active websites capable of executing dynamic content – only in those directories does it then drop the embedded webshells,” Eset researchers said.
A final payload is the Rungan backdoor, whose main functionality in this campaign is to register a hardcoded URL into to the compromised server, http://+:80/v1.0/8888/sys.html. From there, the malware parses and executes commands sent from its operators, including collecting files, registering additional URLs for backdoor access and executing arbitrary commands.
The Gamshen module intercepts HTTP requests from Googlebot, the search engine’s web crawler, and manipulates responses to boost the ranking of a targeted third-party site. “By doing this, GhostRedirector attempts to manipulate Google search rankings using shady SEO techniques, such as creating artificial backlinks from legitimate but compromised websites,” Eset researchers said.
Although most of the compromised networks in the latest campaign were detected in the U.S., Eset researchers said GhostRedirector hackers appear more interested in targeting victims in South America and South Asia.