DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe

A "simplified Chinese-speaking actor" has been connected to a new effort that has targeted numerous nations in Asia and Europe with the final objective of undertaking search engine optimization (SEO) rank manipulation.

The black hat SEO cluster has been nicknamed DragonRank by Cisco Talos, with victimology footprint dispersed over Thailand, India, Korea, Belgium, the Netherlands, and China.

"DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said.

The assaults have resulted to breaches of 35 Internet Information Services (IIS) servers with the eventual purpose of distributing the BadIIS virus, which was initially identified by ESET in August 2021.

It's especially intended to assist proxy ware and SEO fraud by converting the hacked IIS server into a relay point for malicious communications between its clients (i.e., other threat actors) and their victims.

On top of that, it may change the material given to search engines to manipulate search engine algorithms and enhance the ranking of other websites of interest to the attackers.

"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," security researcher Zuzana Hromcova told The Hacker News at the time.

The latest set of attacks highlighted by Talos spans a broad spectrum of industry verticals, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and feng shui.

The attack chains start by taking use of known security holes in online programs like phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then works as a conduit to install auxiliary tools into the targets' environment.

The fundamental purpose of the campaign is to breach the IIS servers hosting corporate websites, abuse them to install the BadIIS virus and effectively repurposing them as a launchpad for scam operations by leveraging keywords linked to porn and sex.

Another key component of the virus is its ability to masquerade as the Google search engine crawler in its User-Agent string when it transfers the connection to the command-and-control (C2) server, so enabling it to evade various website security measures.

"The threat actor engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results," Chen added. "They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings."

One important way DragonRank distinguishes itself from other black hat SEO cybercrime groups is in the manner it attempts to breach additional servers within the target's network and maintain control over them using PlugX, a backdoor widely shared by Chinese threat actors, and various credential-harvesting programs such as Mimikatz, PrintNotifyPotato, BadPotato, and GodPotato.

Although the PlugX malware used in the attacks relies on DLL side-loading techniques, the loader DLL responsible for launching the encrypted payload uses the Windows Structured Exception Handling (SEH) mechanism in an attempt to ensure that the legitimate file (i.e., the binary susceptible to DLL side-loading) can load the PlugX without tripping any alarms.

Evidence found by Talos leads to the threat actor maintaining a presence on Telegram under the handle "tttseo" and the QQ instant messaging service to conduct unlawful business activities with paying customers.

"These adversaries also offer seemingly quality customer service, tailoring promotional plans to best fit their clients' needs," Chen noted.

"Customers may provide the keywords and websites they desire to promote, and DragonRank designs a plan matched to these parameters. The business also specializes in tailoring promotions to certain regions and languages, offering a tailored and complete approach to internet marketing."