GhostRedirector Hackers Compromise Windows Servers With Malicious IIS Module To Manipulate Search Results

Cybersecurity

A new cyber threat group, identified as “GhostRedirector,” has compromised over 65 Windows servers globally, deploying custom malware to manipulate search engine results for financial gain.

Technical Details

The group employs a malicious module for Microsoft’s Internet Information Services (IIS) to execute an SEO fraud scheme, primarily benefiting gambling websites. The attacks, active since at least August 2024, utilize two custom tools: a C++ backdoor named “Rungan” and a malicious IIS module called “Gamshen.”

Operational Mechanism

Rungan enables command execution on compromised servers, while Gamshen serves as the operation’s core, providing “SEO fraud as-a-service.” Gamshen intercepts web traffic on infected servers, activating only when requests from Google’s web crawler, Googlebot, are detected. For regular visitors, the site behaves normally; however, during Googlebot scans, Gamshen injects data from its command-and-control server.

This method allows attackers to create artificial backlinks and employ manipulative SEO tactics to enhance the page ranking of target websites.

Targeted Entities and Geographical Spread

The primary beneficiaries are gambling websites targeting Portuguese-speaking users. The campaign is attributed with medium confidence to a previously unknown, China-aligned threat actor, based on evidence including a code-signing certificate from a Chinese company, hardcoded Chinese language strings, and passwords containing Chinese words.

The attack is broad, affecting sectors such as healthcare, retail, transportation, education, and technology, with significant impact in Brazil, Thailand, and Vietnam, and additional victims in the United States, Peru, Canada, Europe, and Asia.

Attack Chain and Techniques

GhostRedirector’s attack chain likely begins with an SQL injection vulnerability for initial access. Once inside, attackers use PowerShell or CertUtil to download tools from a staging server. They employ known privilege escalation exploits, “EfsPotato” and “BadPotato,” to create administrator-level user accounts, ensuring persistent control.

Their toolkit includes “Zunput,” which scans for active websites and deploys multiple webshells for remote access. ESET’s analysis clustered this activity and attributed it to a single group, based on shared code libraries and infrastructure.

Impact on Compromised Hosts

While the immediate impact on website visitors is minimal, participation in the SEO fraud scheme could significantly damage the host’s reputation due to its association with black-hat SEO practices.