The DragonRank Black Hat SEO campaign, uncovered by Cisco Talos, has been targeting IIS servers across multiple countries in Asia and Europe to perform SEO rank manipulation for illicit purposes. This cyber espionage operation, attributed to a Chinese-speaking actor, exploits vulnerabilities in popular web applications such as phpMyAdmin and WordPress to deploy the ASPXspy web shell. The primary goal is to compromise Internet Information Services (IIS) servers hosting corporate websites, allowing the attackers to implant the BadIIS malware and repurpose the servers as a platform for black hat SEO activities.
Once compromised, the IIS servers are used to manipulate search engine algorithms by altering the content served to search engines. This tactic helps artificially boost the rankings of certain websites, driving traffic to fraudulent sites and increasing the visibility of illicit content. BadIIS, first documented by ESET in August 2021, is specifically designed to facilitate proxy ware and SEO fraud by turning compromised servers into relay points for malicious communications between threat actors and their victims. The campaign has affected industries ranging from healthcare and manufacturing to media and religious organizations.
One of the key techniques employed by DragonRank involves using malware to impersonate legitimate web crawlers, such as Google’s search engine crawler, to bypass security measures. The attackers also use a variety of credential-harvesting tools, including Mimikatz and various Potato exploits, to breach further servers within the target’s network. PlugX, a widely shared backdoor among Chinese threat actors, is another tool used in the campaign. PlugX relies on DLL side-loading to execute its payload stealthily, ensuring the malware goes undetected by security software.
DragonRank’s operations extend beyond technical exploitation, offering illegal SEO services through platforms like Telegram and QQ. Under the handle “tttseo,” the group provides tailored SEO fraud solutions to clients who submit keywords and websites for promotion. DragonRank develops customized strategies, ensuring targeted promotions based on specific countries and languages, enhancing their reach. The campaign’s combination of sophisticated malware tactics and client-driven SEO manipulation highlights the growing nexus between cybercrime and digital marketing fraud.
Reference:
