Emergence of GhostRedirector: A New Cyber Threat
A recently identified cybercrime group, GhostRedirector, has successfully infiltrated at least 65 Windows servers across the globe, as revealed by a June internet scan conducted by ESET researchers. This group has employed previously undocumented malware to enhance the search engine rankings of various gambling sites on Google.
The onset of these infections traces back to December, although ESET’s threat intelligence team suggests that GhostRedirector may have been operational since at least August 2024. The group utilizes a range of custom tools, including two novel malware variants named Rungan and Gamshen. Rungan acts as a passive C++ backdoor, while Gamshen functions as a malicious Internet Information Services (IIS) trojan designed to manipulate Google search results, facilitating SEO fraud.
Victimized websites present altered versions of their pages to Googlebot, strategically designed to elevate the rankings of specific gambling sites. This manipulation often involves the inclusion of fake backlinks, misleading Google into believing that these sites are highly endorsed by others.
While the majority of the compromised servers are located in Brazil, Peru, Thailand, Vietnam, and the United States, researcher Fernando Tavella noted that GhostRedirector appears to be particularly focused on targets in South America and South Asia. Interestingly, the group does not seem to confine its attacks to any specific industry, with victims spanning sectors such as education, healthcare, insurance, transportation, technology, and retail.
ESET researchers suspect that the initial breach was facilitated through an SQL injection vulnerability. Following this, the attackers leveraged PowerShell to download Windows privilege escalation tools, droppers, and the two primary payloads, Rungan and Gamshen, from a single server identified as 868id[.]com.
The privilege escalation tools are believed to be derived from publicly available exploits known as EfsPotato and BadPotato, which are popular among Chinese-speaking hackers. Notably, some of these tools were found to be validly signed with a code-signing certificate issued by TrustAsia RSA Code Signing CA G3, linked to Shenzhen Diyuan Technology. These tools enable the attackers to create or modify user accounts on the compromised servers, adding them to the administrators group, thereby ensuring continued privileged access.
Among the arsenal of tools employed by GhostRedirector is Comdai, a custom library that offers various backdoor-like functionalities, including network communication, admin-user creation, file execution, directory listing, and manipulation of services and Windows registry keys. Additionally, ESET documented another custom tool named Zunput, which collects information about active websites capable of executing dynamic content. Zunput gathers data such as the physical path on the server, site name, IP address, and hostname before deploying a webshell.
Ultimately, the attackers deploy the Rungan and Gamshen payloads. Rungan executes a series of backdoor commands on the compromised server, while Gamshen facilitates SEO fraud as-a-service. This operation appears to enhance the rankings of gambling sites by altering responses specifically for Googlebot, thereby benefiting a third-party site that may be compensating the attackers.
In Tavella’s words, “The response is modified based on data requested dynamically from Gamshen’s C&C server. By doing this, GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website, using deceptive SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website.”
