DragonRank (Dropper) – Malware

Overview

In recent cybersecurity investigations, a new and particularly insidious threat has emerged under the moniker DragonRank. Identified by Cisco Talos, DragonRank is a cybercriminal operation leveraging malicious techniques to manipulate search engine optimization (SEO) rankings. This malware campaign targets corporate websites hosted on Windows Internet Information Services (IIS) servers, aiming to hijack their search engine visibility and drive traffic to fraudulent and malicious sites. The scope of this operation spans across multiple countries, including regions in Asia and Europe, with DragonRank taking a particularly aggressive approach to compromise a wide variety of industries. At the core of DragonRank’s operations is the deployment of BadIIS malware, which manipulates search engine crawlers to alter the ranking of compromised websites. This malware is typically used to push scam websites, often related to adult content, to the top of search results, boosting their visibility in a deceptive and unethical manner. By taking control of these servers, the group can inject their malicious websites into legitimate search engine results, affecting both users’ trust and the companies’ reputations. Unlike traditional SEO manipulation methods, DragonRank uses lateral movement and privilege escalation to persist within networks, escalating its impact by compromising additional servers and expanding its control.

Targets

Individuals

How they operate

At the heart of DragonRank’s technical operations is the exploitation of web application vulnerabilities to deploy web shells on compromised IIS servers. These web shells allow the attackers to establish a foothold on the target systems, enabling them to execute commands, collect system information, and deploy additional malware. One of the primary tools used in this attack is BadIIS, a malware specifically designed to manipulate search engine crawlers. By exploiting the IIS servers, DragonRank can redirect search engine bots to fraudulent sites, artificially inflating the visibility of malicious or scam websites in search results. This manipulation of search engine rankings is the core of DragonRank’s SEO manipulation strategy, which drives traffic to malicious sites and undermines the integrity of the affected websites. In addition to BadIIS, DragonRank also uses PlugX, a well-known remote access Trojan (RAT), to gain persistent access to compromised networks. The PlugX malware, which employs sideloading techniques and utilizes the Windows Structured Exception Handling (SEH) mechanism, allows the malware to load without raising suspicion. By embedding the PlugX payload within seemingly legitimate files, the attackers ensure that the malware can execute without triggering security alarms. Once deployed, PlugX facilitates the lateral movement within the network, allowing DragonRank to escalate its privileges and take control of additional servers within the target organization. DragonRank’s tactics also include a unique method of lateral movement, where the attackers target multiple systems within the same network, expanding their foothold and increasing their control over the organization’s infrastructure. By exploiting weak configurations and vulnerabilities in the network, DragonRank is able to pivot from one compromised server to another, maintaining persistence and avoiding detection. This ability to move laterally across compromised systems is one of the key aspects that sets DragonRank apart from traditional SEO manipulation groups, which typically focus on large-scale server compromises without maintaining control over the underlying infrastructure. Moreover, DragonRank’s operation goes beyond just manipulating search engine rankings. The group offers its services as a black-hat SEO provider, engaging in illicit online marketing to boost their clients’ visibility through the use of compromised servers and fraudulent techniques. DragonRank’s business model includes providing SEO services for various illegal practices such as cross-site ranking, parasite ranking, and search result domination. They not only manipulate search engine results but also spread targeted social media advertisements. Their client-focused approach involves customizing campaigns to fit specific industries, regions, and languages, ensuring a global reach for their SEO manipulation efforts. Through these complex technical tactics, DragonRank can achieve its goal of boosting fraudulent websites while simultaneously undermining legitimate businesses’ online presence. The group’s ability to use compromised infrastructure, lateral movement, privilege escalation, and a combination of malware tools such as BadIIS and PlugX makes their operations highly effective and difficult to detect. As DragonRank continues to exploit these vulnerabilities, it highlights the increasing threat of sophisticated cybercriminal operations in the world of online marketing and search engine optimization, leaving businesses vulnerable to long-term reputational and financial damage.  

References

• DragonRank, a Chinese-speaking SEO manipulator service provider