(Source-thehackernews.com)
A newly discovered cyber campaign, codenamed DragonRank cyber campaign, has been linked to a “simplified Chinese-speaking actor” targeting countries in Asia and Europe with the goal of manipulating search engine rankings. The black hat SEO operation, identified by cybersecurity firm Cisco Talos, has affected organizations across Thailand, India, Korea, Belgium, the Netherlands, and China. The sophisticated attack exploits vulnerable web applications to deploy malware that aids in fraudulent SEO activities.
DragonRank’s Tactics and Malware Deployment
According to security researcher Joey Chen, DragonRank cyber campaign begins its attacks by exploiting known vulnerabilities in web applications such as phpMyAdmin and WordPress. The attackers deploy a web shell to gather system information, plant malware, and launch credential-harvesting tools. One of the key pieces of malware used is BadIIS, a malicious tool first documented by cybersecurity firm ESET in 2021. The campaign has compromised 35 Internet Information Services (IIS) servers, repurposing them to act as intermediaries for malicious activities, including SEO fraud.
The primary goal of DragonRank cyber campaign is to manipulate search engine algorithms by altering the content served to search engines, improving the rankings of websites of interest to the attackers. This manipulation allows threat actors to boost fraudulent content, disrupt competitors, or drive traffic to malicious websites. Another layer of deception is the malware’s ability to disguise itself as Google’s search engine crawler, bypassing certain security measures while relaying commands to its control server.
Targeted Sectors and Sophisticated Techniques
The DragonRank cyber campaign has infiltrated a diverse range of industries, including healthcare, media, manufacturing, transportation, IT services, and religious organizations. By compromising IIS servers hosting corporate websites, the attackers implant malware and repurpose the servers as launchpads for scams, often using keywords related to adult content. The PlugX malware, commonly associated with Chinese cyber threat actors, is also employed to breach additional servers within the target’s network, maintaining control through credential-harvesting tools such as Mimikatz and various versions of “Potato” exploits.
One notable aspect of the malware used in DragonRank’s attacks is its method of hiding within legitimate files using DLL side-loading techniques. The Windows Structured Exception Handling (SEH) mechanism is employed to ensure that the malware loads without triggering security alarms. These techniques allow the attackers to remain undetected for extended periods, further enabling their SEO fraud operations.
DragonRank’s Business Model and Client Services
In addition to its technical prowess, DragonRank cyber campaign operates a business model that includes illegal SEO services. The group maintains a presence on platforms like Telegram and QQ instant messaging to conduct transactions with paying clients. These clients are offered customized promotional plans to enhance the visibility of their websites in search engines, often targeting specific countries and languages for maximum effect. According to Chen, DragonRank offers a level of “quality customer service,” tailoring SEO strategies to meet the unique needs of each client.
DragonRank’s ability to manipulate search engine algorithms and boost the rankings of fraudulent content poses a significant threat to businesses and online users alike. The campaign’s versatility, combined with its use of advanced malware like BadIIS and PlugX, makes it a formidable force in the realm of cybercrime. With its illegal business model and highly customized approach, DragonRank cyber campaign represents a new level of sophistication in the world of black hat SEO manipulation.
