Cybersecurity researchers have unveiled a previously unknown threat cluster named GhostRedirector, which has successfully infiltrated at least 65 Windows servers, predominantly in Brazil, Thailand, and Vietnam. This alarming development was reported by ESET, a Slovak cybersecurity firm, which noted that the attacks have led to the installation of a passive C++ backdoor known as Rungan, alongside a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor behind these activities is believed to have been operational since at least August 2024.
Mechanisms of Attack
According to ESET researcher Fernando Tavella, Rungan is capable of executing commands on compromised servers, while Gamshen serves a more insidious purpose: providing SEO fraud as-a-service. This module manipulates search engine results, artificially boosting the page ranking of targeted websites. Notably, Gamshen only alters responses directed at Googlebot, ensuring that regular visitors to the affected sites remain unaware of the underlying manipulation. However, participation in this SEO fraud scheme can tarnish the reputation of the compromised host website, linking it to dubious SEO practices.
The reach of GhostRedirector extends beyond the initial targets, affecting entities in countries such as Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The group’s activities appear indiscriminate, impacting various sectors including education, healthcare, insurance, transportation, technology, and retail.
Initial access to the targeted networks is believed to be achieved through the exploitation of vulnerabilities, likely stemming from SQL injection flaws. Following this breach, PowerShell is employed to deliver additional malicious tools hosted on a staging server identified as “868id[.]com.” ESET’s analysis indicates that most unauthorized PowerShell executions originated from the binary sqlserver.exe, which utilizes a stored procedure known as xp_cmdshell to execute commands on the compromised machines.
Capabilities of Rungan and Gamshen
Rungan is programmed to await incoming requests from a specific URL pattern (i.e., “https://+:80/v1.0/8888/sys.html”) and subsequently parses and executes embedded commands. It supports a range of commands, including:
- mkuser: Creates a user on the server with specified credentials.
- listfolder: Gathers information from a designated path (currently unfinished).
- addurl: Registers new URLs for the backdoor to monitor.
- cmd: Executes commands on the server using pipes and the CreateProcessA API.
Gamshen, crafted in C/C++, belongs to a family of IIS malware known as “Group 13.” It functions both as a backdoor and a tool for SEO fraud, similar to IISerpent, another IIS-specific malware documented by ESET in August 2021. IISerpent operates as a malicious extension for Microsoft’s web server software, allowing it to intercept HTTP requests from search engine crawlers and alter responses to redirect search engines to a scam website of the attacker’s choosing.
Microsoft acknowledged the potential for IIS extensions to covertly establish persistent backdoors into servers, noting their difficulty in detection due to their placement in the same directories as legitimate modules and their similar code structure.
SEO Manipulation and Backlinking
GhostRedirector aims to manipulate Google search rankings for specific third-party websites through deceptive SEO techniques, such as generating artificial backlinks from legitimate, compromised sites to the targeted websites. While the exact destinations of these backlinks remain unclear, it is suspected that they are used to promote various gambling websites.
In addition to Rungan and Gamshen, several other tools have been deployed, including:
- GoToHTTP: Establishes a remote connection accessible via a web browser.
- BadPotato or EfsPotato: Creates a privileged user within the Administrators group.
- Zunput: Collects information about websites hosted on the IIS server and deploys ASP, PHP, and JavaScript web shells.
With medium confidence, it is assessed that GhostRedirector is aligned with a China-based threat actor, supported by the presence of hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, Shenzhen Diyuan Technology Co., Ltd., and the use of the password “huang” for one of the accounts created by GhostRedirector on the compromised servers.
This is not the first instance of a China-linked threat actor utilizing malicious IIS modules for SEO fraud. Over the past year, cybersecurity firms Cisco Talos and Trend Micro have reported on a Chinese-speaking group known as DragonRank, which has also engaged in SEO manipulation through BadIIS malware.
As Tavella notes, “Gamshen exploits the credibility of the websites hosted on the compromised server to promote a third-party gambling website—potentially a paying client participating in an SEO fraud as-a-service scheme.” GhostRedirector exemplifies persistence and operational resilience by deploying multiple remote access tools on compromised servers and creating rogue user accounts to maintain long-term access to the affected infrastructure.
