DragonRank Launches Black Hat SEO Campaign Targeting IIS Servers in Asia and Europe

A Chinese-speaking threat actor, codenamed DragonRank, has been linked to a new black hat SEO campaign targeting Internet Information Services (IIS) servers across Asia and Europe, aiming to manipulate search engine rankings for malicious purposes. Cisco Talos uncovered this campaign, which affects sectors including media, healthcare, manufacturing, IT services, and more, in countries like Thailand, India, Korea, Belgium, and China.

  • Exploitation of IIS Servers: DragonRank exploits security vulnerabilities in web applications such as phpMyAdmin and WordPress, deploying the ASPXspy web shell to compromise IIS servers hosting corporate websites. The malware enables the attackers to launch further malicious tools like PlugX and BadIIS.
  • BadIIS Malware Deployment: The BadIIS malware repurposes compromised servers as proxies for black hat SEO activities, manipulating search engine algorithms to artificially boost the ranking of fraudulent or malicious websites.
  • SEO Fraud Scheme: DragonRank alters search engine algorithms to drive traffic to malicious sites, inflate or deflate competitor rankings, and enhance the visibility of scam content, such as websites promoting pornographic material.
  • PlugX Backdoor and Credential Harvesting: To maintain control, DragonRank uses PlugX malware, a tool popular among Chinese threat actors, alongside credential-harvesting utilities like Mimikatz, PrintNotifyPotato, and BadPotato. This allows them to breach additional servers within the target’s network.
  • Masquerading as Google Search Engine Crawler: The malware mimics the Google search engine crawler using a falsified User-Agent string, allowing it to bypass certain security measures on websites, facilitating deeper infiltration.
  • Illegal Business Operations via Telegram and QQ: DragonRank offers its illicit SEO services via platforms like Telegram and QQ, providing custom promotional strategies for paying clients, who can submit keywords and websites they want to promote.

Net Protector Cyber Security continues to monitor such evolving threats and recommends businesses adopt NPAV Endpoint Security to safeguard against advanced malware like BadIIS and PlugX.