SEO fraud

Cybersecurity researchers have identified a new threat cluster named GhostRedirector, which has compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. The attacks involve the installation of a C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor is believed to have been active since at least August 2024. Rungan can execute commands on compromised servers, while Gamshen provides SEO fraud services by manipulating search engine results, specifically targeting Googlebot to avoid detection by regular users. GhostRedirector has also impacted entities in various countries, including the U.S., Canada, and India, across multiple sectors. Initial access is likely gained through SQL injection vulnerabilities, followed by the use of PowerShell to deliver additional malware from a staging server. Rungan listens for commands from a specific URL and supports various functions, including user creation and command execution. Gamshen is part of a family of IIS malware and operates similarly to previously documented malware. The group employs deceptive SEO techniques to generate artificial backlinks to promote gambling websites. Evidence suggests that GhostRedirector may be linked to a China-based threat actor, supported by Chinese strings in the code and a certificate from a Chinese company. This group exemplifies persistence by using multiple remote access tools and creating rogue user accounts for long-term access.