New China-Aligned Crew Poisons Windows Servers for SEO Fraud

upstart writes:

Defrauding search with custom malware, Potato-family exploits:

A new China-aligned cybercrime crew named GhostRedirector has compromised at least 65 Windows servers worldwide - spotted in a June internet scan - using previously undocumented malware to juice gambling sites' rankings in Google search, according to ESET researchers.

The infections began in December, although other related malware samples indicate the group has been active since at least August 2024, the security firm's threat intel team noted.

GhostRedirector uses a variety of custom tools, including two never-seen-before pieces of malware that the researchers dubbed Rungan, which is a passive C++ backdoor, and Gamshen, a malicious Internet Information Services (IIS) trojan that manipulates Google search results for Search Engine Optimization (SEO) fraud.

The victim sites then show versions of their web pages to Googlebot that would help certain gambling sites gain rank. For example, they may include fake backlinks to those gambling domains, fooling everyone's favorite search engine into thinking that those sites are highly recommended by others.

While most of the infected servers are in Brazil, Peru, Thailand, Vietnam, and the US, "we believe that GhostRedirector was more interested in targeting victims in South America and South Asia," malware researcher Fernando Tavella said in a Thursday report. Plus, he added, the gang doesn't appear to target a particular sector with victims from this campaign including education, healthcare, insurance, transportation, technology, and retail organizations.

The researchers suspect the criminals gained initial access by exploiting a probable SQL injection bug. They then used PowerShell to download Windows privilege escalation tools, droppers, and the two final payloads, Runganand Gamshen, all from the same server: 868id[.]com

Read more of this story at SoylentNews.