Chinese language-Talking Hackers Manipulate search engine optimization Rankings Globally

A Chinese search engine optimization operation hacked more than 35 web servers and stole credentials in a campaign to boost the online rankings of malicious porn sites.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Researchers from Cisco Talos dubbed the risk cluster DragonRank and mentioned that it advertises search engine marketing companies – authorized and unlawful – in Chinese language and English. Its Black search engine optimization choices embrace compromising internet servers, injecting hidden hyperlink or key phrases into reliable web sites and creating backlinks to malicious websites. A web based area related to the operation, tttseo.com, does not resolve to an internet site.

The backlinks artificially increase the search engine efficiency of the malicious websites, growing the probabilities of unsuspecting customers visiting them and being tricked into offering delicate info or downloading malware. Internet servers hacked throughout this marketing campaign span the globe and embrace victims in Thailand, India, Korea, Belgium, the Netherlands and China.

DragonRank’s major aim is to penetrate internet servers and drop BadIIS malware – the IIS stands for Web Info Companies, Microsoft’s extensible internet server – with the intention to execute search engine optimization manipulation. It hides communications to a command-and-control server by mimicking the Google search engine crawler in its Consumer-Agent string.

Stepping into servers begins with DragonRank hackers in search of vulnerabilities in internet software companies, resembling phpMyAdmin and WordPress. They deploy an online shell and proceed to gather system info and obtain extra malware, utilizing utilities resembling Mimikatz, BadPotato and GodPotato. Hackers deploy credential harvesting instruments to maneuver laterally into networks. DragonRink’s malware arsenal contains PlugX, which makes use of DLL sideloading strategies and the Home windows Structured Exception Dealing with mechanism to keep away from detection. PlugX’s persistence inside contaminated programs permits the group to keep up management with out elevating suspicion.

Cisco Talos linked DragonRank’s actions to Simplified Chinese language-using risk actors who’ve discovered clients by promoting on reliable web sites. The risk actor additionally affords companies for bulk posting on social media platforms, researchers mentioned.