A new campaign targeting multiple countries in Asia and Europe with the goal of search engine optimization (SEO) rank manipulation has been linked to a “simplified Chinese-speaking actor.” This cluster of black hat SEO activities has been codenamed DragonRank by Cisco Talos, with victims in Thailand, India, Korea, Belgium, the Netherlands, and China.
According to security researcher Joey Chen, “DragonRank exploits targets’ web application services to deploy a web shell, collect system information, and launch malware like PlugX and BadIIS, running various credential-harvesting utilities.”
The attacks have led to compromises of 35 Internet Information Services (IIS) servers, aiming to deploy the BadIIS malware first documented by ESET in August 2021.
The attacks aim to facilitate proxy ware and SEO fraud by turning compromised IIS servers into relay points for malicious communications and manipulating search engine algorithms to boost the ranking of specific websites of interest to the attackers.
Zuzana Hromcova, another security researcher, highlighted the versatility of IIS malware in conducting SEO fraud criminal schemes, demonstrating the group’s capability to manipulate search engine algorithms successfully.
The latest attacks witnessed a wide range of targets across various industry verticals, including jewelry, media, healthcare, manufacturing, sports, and more.
The attackers exploit security flaws in web applications like phpMyAdmin and WordPress to drop the ASPXspy web shell, paving the way for additional tools to infiltrate the targets’ environment. The main objective is to compromise IIS servers hosting corporate websites and use them for unauthorized activities, including keyword-based scams.
Moreover, the malware can impersonate the Google search engine crawler to evade security measures, indicating a sophisticated level of operation.
DragonRank goes beyond traditional black hat SEO tactics by attempting to breach more servers within the target’s network and maintain control using backdoors and credential-harvesting tools.
The malware uses advanced techniques to evade detection, and evidence suggests the threat actor operates on messaging platforms like Telegram and QQ to conduct illegal transactions with clients.
DragonRank offers customized promotional plans to clients, tailoring strategies based on keywords and target websites to manipulate search engine rankings for fraudulent gains.