GhostRedirector’s Server Attacks
A new threat group, GhostRedirector, has compromised 65 Windows servers. It targets multiple countries. For example, Brazil and Thailand are hit hardest. The attacks started in August 2024.
Rungan and Gamshen Malware
GhostRedirector deploys two main tools. Rungan is a passive C++ backdoor. Gamshen is an IIS module for SEO fraud. Consequently, it boosts scam website rankings.
Fraud Tactics and Global Targeting
Gamshen manipulates search results. It only affects search engine bots. For instance, it creates fake backlinks. This harms the compromised site’s reputation.
The group attacks various sectors. These include education and healthcare. Moreover, it hits countries like the U.S. and India. The attacks seem indiscriminate.
Initial Access Methods
Attackers likely use SQL injection flaws. They exploit vulnerabilities to gain entry. Therefore, they run PowerShell commands. This delivers more malware.
Rungan’s Command Features and Gamshen’s Operations
Rungan listens for specific URL requests. It executes embedded commands. For example, it creates users or runs scripts. This allows remote control.
Gamshen works like other IIS malware. It intercepts HTTP requests from crawlers. Additionally, it redirects to scam sites. This promotes gambling pages.
Tools Deployed and Links
The group drops other utilities. These include remote access programs. For instance, BadPotato creates admin users. Web shells enable further attacks.
Evidence points to China-aligned actors. Code includes Chinese strings. Moreover, a Chinese company signed tools. This suggests the group’s origin.
Related Threats
Similar groups use IIS for fraud. They deploy malware like BadIIS. For example, DragonRank manipulates SEO. This shows a common tactic.
Preventing GhostRedirector Attacks
To stop GhostRedirector, patch SQL vulnerabilities quickly. Monitor IIS modules for changes. Additionally, real-time threat monitoring detects backdoors. Cybersecurity training helps spot phishing. By staying proactive, admins can secure servers.
Sleep well, we got you covered.
