- Chinese Group GhostRedirector hijacked at least 65 Windows servers to increase Shady Gambling Sites’ Google Rankings
- They used two new tools – Rungan and Gamshen
- Attacks hit servers mainly in Latin America and South Asia, probably via SQL injection, across multiple industries
Dozens of Windows servers have been hijacked by a Chinese hacking group to increase Google’s locations for shady game sites, experts have found.
Security researchers ESET have outlined the work called GhostRedirector, which began targeting Windows servers in December 2024, and eventually compromised at least 65 of them. After breaking into a server, they would implement a number of tools, including two brand new pieces of malware, called Rungan and Gamshen.
Rungan is a classic back door, while Gamshen is the one who performs the search engine’s ranking. ESET describes it as a malicious Internet Information Services (ISS) Trojan, which is not malware in the traditional sense, but rather a malicious Native ISS module that runs directly within a Windows Webserver that selectively changes HTTP response, but only for Google’s web crawler, Googlebot.
South America and South Asia targeted
The goal is to inject either Backlinks or SEO content designed to artificially increase gaming places in Google search rankings.
What makes this Trojan particularly stealthy is the fact that regular visitors are not affected and sacrificial sites will only spot the penetration after their SEO locations fall or Google Flag is the place of suspicious behavior.
The majority of the infected servers were located in Latin America and South Asia – Brazil, Peru, Thailand and Vietnam. Compromed servers were also discovered in the United States, but ESET believes that the threat actors were primarily aimed at South American and South Asian servers.
The hackers also do not seem to target any particular industry as the attacks were seen in education, healthcare, insurance, transport, technology and retail verticals.
The first access was probably obtained by utilizing a SQL injection error, ESET concluded. From there, they implemented PowerShell to download Windows Privilege shelling tools and droppers. From there they fell Rungan and Gamshen to the final phase of the attack.
Via Registered
