Full Report
Researchers identified a "DragonRank" campaign targeting countries in Asia and Europe. This group exploits web application services to deploy web shells and malware like PlugX and BadIIS, primarily for manipulating search engine rankings. The campaign has affected more than 35...
Analysis Summary
# Threat Actor: DragonRank
## Attribution & Identity
The operator is strongly suggested to be a **Simplified Chinese-speaking actor** due to its commercial activities, which focus on Search Engine Optimization (SEO) manipulation and black hat SEO practices. The description refers to the activity as a "campaign" rather than a state-sponsored group, indicating potential financially motivated or commercial objectives.
## Activity Summary
DragonRank is a campaign observed targeting web application services, primarily Microsoft IIS servers. The group exploits vulnerabilities to deploy web shells and secondary malware, with the primary goal of **manipulating search engine rankings (SEO fraud)**. The campaign has affected over 35 IIS servers. The objective also includes resource hijacking and potentially data exfiltration, though SEO manipulation is highlighted as the key impact.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting 1-day vulnerabilities in web application services (e.g., WordPress, phpMyAdmin).
- **Implantation:** Deploying web shells, specifically mentioning the open-source tool **ASPXSpy**.
- **Persistence/C2:** Utilizing web shells or Remote Desktop Protocol (RDP) to maintain access across additional breached IIS servers.
- **Credential Harvesting:** Employing tools such as **Mimikatz**.
- **Privilege Escalation:** Using tools like **PrintNotifyPotato** and **GodPotato**.
- **Payload Execution (PlugX):** Employing **DLL Sideloading** and utilizing the Windows Structured Exception Handling (SEH) mechanism to stealthily load the payload. Dekcryption involves XORing the payload with the key **"0xD1"**.
- **Impact Action (SEO Fraud):** Using **BadIIS** to alter HTTP responses served by the compromised IIS server to manipulate search engine crawlers, often redirecting traffic to scam websites.
## Targeting
- **Sectors:** Various industries (implied, as the target count of 35+ is spread across sectors).
- **Geography:** Countries in **Asia and Europe**.
- **Victims:** Over **35 compromised Microsoft IIS servers**.
## Tools & Infrastructure
- **Malware Families Used:**
- **PlugX** (used for post-exploitation activities).
- **BadIIS** (used specifically for SEO manipulation).
- **Web Shells/Backdoors:**
- **Godzilla**
- **ASPXSpy** (open-source web shell used for initial control).
- **Lateral Movement/Privilege Escalation Tools:**
- **Mimikatz**
- **PrintNotifyPotato**
- **GodPotato**
- **Infrastructure:** No specific C2 domains or IPs were detailed in the provided context.
## Implications
The DragonRank campaign represents a significant threat associated with cybercrime groups leveraging vulnerability exploitation for commercial gain rather than state espionage. The focus on SEO poisoning indicates a persistent effort to monetize breached infrastructure by leveraging the reputation of compromised servers to funnel traffic to malicious or fraudulent sites. Targeting IIS web servers provides a consistent pathway for initial access across diverse organizational footprints.
## Mitigations
- **Patch Management:** Immediately patch vulnerabilities exploited in web application services, including those affecting **WordPress** and **phpMyAdmin**.
- **Web Application Security:** Implement stringent security configurations for **Microsoft IIS servers**.
- **Defense in Depth:** Monitor for the deployment of known web shells like **ASPXSpy**.
- **Endpoint Detection:** Utilize behavioral monitoring to detect techniques associated with **PlugX** execution, particularly DLL sideloading and memory injection relying on the SEH mechanism.
- **Privilege Monitoring:** Actively monitor for credential harvesting tools like **Mimikatz** and local privilege escalation attempts using tools such as **Potato** derivatives.
- **Output Validation:** Monitor web server HTTP responses for abnormal redirection or content manipulation indicative of **BadIIS** activity.