Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Chinese hackers target Windows servers with SEO poisoning campaign

Security padlock and circuit board to protect data.

Hackers are taking advantage of vulnerable servers to take over websites, and use them to steal people’s credentials, deploy malware, and more.

A report from Cisco Talos, who have been tracking the activity for some time now, revealed the group would first seek out vulnerable web application services such as phpMyAdmin, WordPress, or similar. Then, they would use the vulnerabilities to deploy a web shell which grants them control over the server.

Finally, the web shell allows them to collect system information, or deploy additional malware such as PlugX, or BadIIS, or to run different infostealers such as Mimikatz, GodPotato, and others. To get people to visit the infected websites, the group uses SEO poisoning, pushing the sites higher up on search engine results pages.

DragonRank

The researchers are dubbing the new threat “DragonRank”. They believe the group is targeting mostly organizations in Asia, with a few victims found in Europe, as well. So far, the malware was spotted in Thailand, India, Korea, Belgium, the Netherlands, and China.

The victims come from all sorts of industries, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and even niche markets like feng shui.

All of this leads the researchers to conclude that DragonRank doesn’t really have a particular target and just looks to compromise as many organizations as possible.

So far, more than 35 IIS servers were compromised, and deployed the BadIIS malware, the researchers concluded. BadIIS was first discovered in 2020, and it acts as a backdoor that grants unauthorized access to compromised servers. One of its key features is stealth, since it uses advanced techniques to evade detection.

Since the group has a commercial website, a business model, and instant message accounts, the researchers concluded that the group is most likely of Chinese origin.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.