Cybercrime , Fraud Management & Cybercrime
Chinese-Speaking Hackers Manipulate SEO Rankings Globally
Threat Actor Advertises SEO Services in Chinese and EnglishA Chinese search engine optimization operation hacked more than 35 web servers and stole credentials in a campaign to boost the online rankings of malicious porn sites.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Researchers from Cisco Talos dubbed the threat cluster DragonRank and said that it advertises search engine optimization services - legal and illegal - in Chinese and English. Its Black SEO offerings include compromising web servers, injecting hidden link or keywords into legitimate websites and creating backlinks to malicious sites. An online domain associated with the operation, tttseo.com
, doesn't resolve to a website.
The backlinks artificially boost the search engine performance of the malicious sites, increasing the chances of unsuspecting users visiting them and being tricked into providing sensitive information or downloading malware. Web servers hacked during this campaign span the globe and include victims in Thailand, India, Korea, Belgium, the Netherlands and China.
DragonRank's primary goal is to penetrate web servers and drop BadIIS malware - the IIS stands for Internet Information Services, Microsoft's extensible web server - in order to execute SEO manipulation. It hides communications to a command-and-control server by mimicking the Google search engine crawler in its User-Agent string.
Getting into servers begins with DragonRank hackers looking for vulnerabilities in web application services, such as phpMyAdmin and WordPress. They deploy a web shell and proceed to collect system information and download additional malware, using utilities such as Mimikatz, BadPotato and GodPotato. Hackers deploy credential harvesting tools to move laterally into networks. DragonRink's malware arsenal includes PlugX, which uses DLL sideloading techniques and the Windows Structured Exception Handling mechanism to avoid detection. PlugX's persistence within infected systems allows the group to maintain control without raising suspicion.
Cisco Talos linked DragonRank's activities to Simplified Chinese-using threat actors who have found customers by advertising on legitimate websites. The threat actor also offers services for bulk posting on social media platforms, researchers said.