In a recent cybersecurity incident, a covert operation linked to a “simplified Chinese-speaking actor” has drawn attention for its targeted campaign aimed at manipulating search engine optimization (SEO) rankings in various Asian and European countries. This black hat SEO initiative has been dubbed DragonRank by Cisco Talos, revealing a broad victimology that spans regions including Thailand, India, Korea, Belgium, the Netherlands, and China.
The DragonRank operation utilizes sophisticated methods to exploit vulnerable web applications such as phpMyAdmin and WordPress, allowing the attackers to drop the open-source ASPXspy web shell onto compromised systems. This web shell not only facilitates the collection of system information but also serves as a platform for deploying malware like PlugX and BadIIS. According to security researcher Joey Chen, this tactic has led to the compromise of 35 Internet Information Services (IIS) servers, which attackers repurpose to launch further attacks and distribute malicious payloads.
The ultimate aim of this campaign is to manipulate the IIS servers of corporate websites, using them as unwitting intermediaries for boosting the visibility of fraudulent sites. By modifying the content delivered to search engines, attackers can alter search algorithms to favor certain websites, thus enhancing their rankings. The techniques employed in this attack reflect tactics listed in the MITRE ATT&CK framework, particularly in areas such as initial access via exploitation of public-facing applications, persistence through web shell implantation, and privilege escalation through credential harvesting tools.
Zuzana Hromcova, another researcher from Cisco Talos, highlighted the versatility of the malware involved, which can masquerade as legitimate search engine crawlers to evade detection and circumvent security measures. Such tactics pose a significant threat not only due to their technical sophistication but also because they target diverse industry sectors including jewelry, media, healthcare, and even spiritual organizations.
The DragonRank group is also noted for its methodical approach to operate beyond initial breaches. By utilizing malware like PlugX and various credential-harvesting tools, they continually seek to expand their control across additional servers within the infected networks. This persistence is indicative of advanced adversarial techniques aimed at maintaining footholds in compromised environments.
Additionally, the campaign has been identified as facilitating proxy ware and SEO fraud, effectively turning compromised IIS servers into relay points for malicious activities. By participating in SEO manipulation, the threat actors engage in activities that could siphon traffic from legitimate sites, diminish the online presence of competitors, or elevate their own illicit ventures.
As investigations continue, evidence suggests the attackers maintain an active presence on platforms such as Telegram and QQ, where they engage in transactions with clients seeking their services for SEO fraud. Chen notes that the operation offers tailored marketing strategies, allowing clients to specify which keywords and sites they wish to promote, thus illustrating a business-like approach to cybersecurity threats.
Given the sophisticated nature of this attack, business leaders should take note of the vulnerabilities associated with their web applications and the potential for such manipulative schemes to disrupt their operations. Proactive measures, including regular security audits and the use of robust malware defenses, are essential in countering these emerging threats and safeguarding critical digital assets. The incident underscores the necessity for organizations to remain vigilant in the face of evolving cyber threats that exploit weaknesses in web infrastructure.
