A cyber threat named “DragonRank” has been discovered by Cisco Talos, targeting countries across Asia and Europe. The campaign utilizes malicious tools like PlugX and BadIIS to exploit web application services and manipulate SEO rankings.
DragonRank mainly focuses on compromising Windows Internet Information Services (IIS) servers, with confirmed attacks in countries such as Thailand, India, Korea, Belgium, the Netherlands, and China. The attackers use search engine optimization (SEO) manipulation to disrupt online visibility and rankings. They exploit vulnerabilities in web applications to deploy web shells, gaining unauthorized access to compromised servers.
Once access is gained, malware such as PlugX and BadIIS is launched to steal credentials and embed deeper within systems. PlugX is particularly deceptive, using Windows Structured Exception Handling (SEH) mechanisms to evade security tools. Cisco Talos has identified over 35 compromised IIS servers across various industries, including media, healthcare, IT services, and manufacturing. The BadIIS malware on these servers allows attackers to alter search engine algorithms, leading users to fraudulent websites featuring malicious content.
Investigations by Talos revealed the commercial aspect of DragonRank’s operation. The hacking group offers SEO services, both ethical and unethical, through their website. They promote practices like cross-site ranking and parasite ranking to enhance a client’s online visibility using unethical methods. DragonRank’s business model includes targeted promotions for specific regions and languages, expanding its global reach. The activities of DragonRank have been linked to a Simplified Chinese-speaking actor. The group uses communication platforms like Telegram and QQ to conduct business and interact with customers, showcasing their profit-driven cybercrime entity status.
Apart from SEO manipulation, DragonRank has been involved in lateral movement and privilege escalation within compromised networks. They infiltrate servers using Remote Desktop Protocol (RDP) and web shells to ensure long-term persistence and deeper access to targeted systems. While DragonRank is relatively new to the black-hat SEO industry, it has quickly adapted. The group’s utilization of sophisticated malware like PlugX and evasion tactics like SEH to avoid detection highlight their evolving tactics.
Cisco Talos is closely monitoring DragonRank’s activities to determine the full extent of its operations. Given the group’s ability to compromise a wide range of industries and nations, its reach may expand further. Organizations, especially those running Windows IIS servers, are advised to enhance their security measures and stay vigilant against such attacks.
In conclusion, DragonRank represents a sophisticated cyber threat that leverages SEO manipulation and malicious tools to compromise servers and manipulate online visibility. With its commercial operations and evolving attack capabilities, organizations need to be proactive in safeguarding their systems against such threats. Cisco Talos continues to monitor DragonRank’s activities to mitigate its impact on global cybersecurity.