A newly identified cybercriminal group, referred to as GhostRedirector by cybersecurity experts, has infiltrated at least 65 Windows servers worldwide. Their primary objective is to deploy custom malware that manipulates search engine results, thereby enhancing the visibility of specific gambling websites for financial gain.
Modus Operandi
The GhostRedirector group employs a sophisticated strategy involving two previously undocumented tools:
1. Rungan: A passive C++ backdoor that grants attackers the capability to execute commands on compromised servers.
2. Gamshen: A malicious native module for Microsoft’s Internet Information Services (IIS) that serves as the linchpin of their operation, facilitating SEO fraud as-a-service.
The Gamshen module is engineered to intercept web traffic on infected servers. It is specifically programmed to activate upon detecting requests from Google’s web crawler, Googlebot. For regular users, the website operates normally. However, when Googlebot accesses the site, Gamshen alters the server’s response by injecting data from its command-and-control server. This manipulation enables the creation of artificial backlinks and other deceptive SEO tactics, effectively hijacking the compromised website’s reputation to boost the search engine ranking of targeted gambling sites.
Attribution and Impact
ESET researchers have attributed this campaign, with medium confidence, to a previously unknown threat actor aligned with China. This assessment is based on several indicators, including:
– A code-signing certificate issued to a Chinese company.
– Hardcoded Chinese language strings within the malware samples.
– The use of a password containing the Chinese word huang (meaning yellow) for rogue user accounts.
The campaign appears opportunistic, affecting a diverse range of sectors such as healthcare, retail, transportation, education, and technology. The majority of compromised servers are located in Brazil, Thailand, and Vietnam, with additional victims in the United States, Peru, Canada, and various parts of Europe and Asia.
Attack Chain
The GhostRedirector group’s attack sequence is as follows:
1. Initial Access: Exploitation of an SQL injection vulnerability to gain entry into the server.
2. Payload Deployment: Utilization of PowerShell or CertUtil to download malicious tools from a staging server.
3. Privilege Escalation: Employment of publicly known exploits like EfsPotato and BadPotato to create new administrator-level user accounts, ensuring persistent access.
4. Tool Deployment: Implementation of custom utilities such as Zunput, which scans the server for active websites and deploys multiple web shells to maintain remote access.
The shared code libraries and infrastructure across these tools have enabled researchers to link the activities to a single group.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following measures:
– Regular Patching: Ensure that all software, especially web servers and associated modules, are up-to-date with the latest security patches.
– Web Application Firewalls (WAFs): Deploy WAFs to detect and prevent SQL injection and other web-based attacks.
– Access Controls: Limit administrative privileges and monitor the creation of new user accounts.
– Security Monitoring: Implement continuous monitoring solutions to detect unusual activities, such as unexpected module installations or modifications to server responses.
– Incident Response Plan: Develop and regularly update an incident response plan to swiftly address potential breaches.
By adopting these proactive measures, organizations can significantly reduce the risk of falling victim to similar cyber threats.
