- Chinese group Ghostredirector diverted at least 65 Windows servers to stimulate the Google ranking of shaded game sites
- They used two new tools – Rungan and Gamshen
- Attacks strike servers mainly in Latin America and South Asia, probably via SQL injection, in several industries
Dozens of Windows servers have been diverted by a Chinese hacking group to stimulate Google’s ranking for shady game websites, have found experts.
ESET security researchers described the work called Ghostredirector, which started targeting Windows servers in December 2024, ultimately compromising at least 65 of them. After having broken into a server, they would deploy a variety of tools, including two new malicious software, called Rungan and Gamshen.
Rungan is a classic stolen door, while Gamshen is the one that increases the search engine. ESET describes it as a Trojan of Malveillant Internet Information Services (ISS), which is not malicious software in the traditional sense, but rather a malicious ISS module that runs directly in a Windows web server, selectively modifying HTTP responses, but only for the Google web robot, Googlebot.
South America and targeted South Asia
The objective is to inject backlinks or SEO content designed to artificially increase game sites in Google search rankings.
What makes this Troy particularly stealthy is the fact that regular visitors are not affected, and victims’ sites will not identify the intrusion until their SEO classification has dropped, or Google signals the site for suspicious behavior.
The majority of infected servers were located in Latin America and South Asia – Brazil, Peru, Thailand and Vietnam. Compromised servers have also been discovered in the United States, but Eset thinks that threat actors mainly aimed at South American and South Asian servers.
Pirates also do not seem to target a particular industry, as attacks have been observed in education, health care, insurance, transport, technology and retail verticals.
The initial access was probably carried out by operating an SQL injection bucket, concluded ESET. From there, they deployed PowerShell to download the climbing tools and the climbing drops of Windows. From there, they dropped Rungan and Gamshen for the last stage of the attack.
Via The register
