"A new China-aligned cybercrime crew named GhostRedirector has compromised at least 65 Windows servers worldwide - spotted in a June internet scan - using previously undocumented malware to juice gambling sites' rankings in Google search, according to ESET researchers. The infections began in December, although other related malware samples indicate the group has been active since at least August 2024, the security firm's threat intel team noted."
"GhostRedirector uses a variety of custom tools, including two never-seen-before pieces of malware that the researchers dubbed Rungan, which is a passive C++ backdoor, and Gamshen, a malicious Internet Information Services (IIS) trojan that manipulates Google search results for Search Engine Optimization (SEO) fraud. The victim sites then show versions of their web pages to Googlebot that would help certain gambling sites gain rank."
"The researchers suspect the criminals gained initial access by exploiting a probable SQL injection bug. They then used PowerShell to download Windows privilege escalation tools, droppers, and the two final payloads, Rungan and Gamshen, all from the same server: 868id[.]com ESET estimates the privilege escalation tools are based on public EfsPotato and BadPotato exploits - these potato-family escalation tools are popular among Chinese-speaking hackers - and notes"
A China-aligned crew named GhostRedirector compromised at least 65 Windows servers worldwide beginning in December, with related samples indicating activity since August 2024. The group deployed previously undocumented malware including Rungan, a passive C++ backdoor, and Gamshen, an IIS trojan that serves altered pages to Googlebot to promote certain gambling sites via fake backlinks and SEO fraud. Most infections were found in Brazil, Peru, Thailand, Vietnam, and the US, with targeting focused on South America and South Asia across multiple sectors. Initial access likely exploited a SQL injection vulnerability; attackers used PowerShell to retrieve droppers, privilege escalation tools, and payloads from 868id[.]com. Privilege escalation techniques resembled public EfsPotato and BadPotato exploits.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]