Article Details

China-aligned crew poisons Windows servers to manipulate Google results. Defrauding search with custom malware, Potato-family exploits. A new China-aligned cybercrime crew named GhostRedirector has compromised at least 65 Windows servers worldwide - spotted in a June internet scan - using previously undocumented malware to juice gambling sites' rankings in Google search, according to ESET researchers. The infections began in December, although other related malware samples indicate the group has been active since at least August 2024, the security firm's threat intel team noted. GhostRedirector uses a variety of custom tools, including two never-seen-before pieces of malware that the researchers dubbed Rungan, which is a passive C++ backdoor, and Gamshen, a malicious Internet Information Services (IIS) trojan that manipulates Google search results for Search Engine Optimization (SEO) fraud. The victim sites then show versions of their web pages to Googlebot that would help certain gambling sites gain rank. For example, they may include fake backlinks to those gambling domains, fooling everyone's favorite search engine into thinking that those sites are highly recommended by others. While most of the infected servers are in Brazil, Peru, Thailand, Vietnam, and the US, "we believe that GhostRedirector was more interested in targeting victims in South America and South Asia," malware researcher Fernando Tavella said in a Thursday report. Plus, he added, the gang doesn't appear to target a particular sector with victims from this campaign including education, healthcare, insurance, transportation, technology, and retail organizations. The researchers suspect the criminals gained initial access by exploiting a probable SQL injection bug. They then used PowerShell to download Windows privilege escalation tools, droppers, and the two final payloads, Rungan and Gamshen, all from the same server: 868id[.]com ESET estimates the privilege escalation tools are based on public EfsPotato and BadPotato exploits — these potato-family escalation tools are popular among Chinese-speaking hackers — and notes that some samples were validly signed with a code-signing certificate issued by TrustAsia RSA Code Signing CA G3, to Shenzhen Diyuan Technology. These tools create or modify a user account on the compromised server and add it to the administrators group, which ensures the attackers can continue to execute privileged operations on the infected machine. Also among these tools: Comdai, another custom library that performs a bunch of backdoor-like capabilities, including network communication, admin-user creation, file execution, directory listing, and manipulating services and Windows registry keys.   During these attacks, ESET also documented another custom website information collector and dropper the team used named Zunput. It checks for active websites capable of executing dynamic content, and collects information about them, including physical path on the server, site name, IP address, and hostname, before dropping a webshell. And finally, the attackers drop Rungan and Gamshen payloads. Rungan executes a series of backdoor commands on the compromised server, while Gamshen enables SEO fraud as-a-service. This particular operation appears to boost gambling sites' rankings by modifying responses only for Googlebot — benefiting a third-party site that's potentially a paying client, per ESET. "The response is modified based on data requested dynamically from Gamshen's C&C server," Tavella wrote. "By doing this, GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website, by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website."