In a recent discovery, security experts have identified a suspicious new activity cluster they’re calling “DragonRank.” This activity is believed to be of Chinese origin and has been observed targeting various countries in Asia along with a few others in Europe.
DragonRank operations are carried out through web shells used to collect system information from victims and deploy malware payloads such as PlugX and BadIIS, with the goal of compromising Windows Internet Information Services (IIS) servers hosting legitimate corporate websites and manipulating their search engine optimization (SEO) rankings.
DragonRank’s Modus Operandi
The researchers from Cisco Talos state that the activity cluster’s tactics, techniques, and procedures (TTPs) bear several similarities to hacking groups that rely on Simplified Chinese. DragonRank had used a wide-reaching and non-targeted approach to compromise over 35 IIS servers across various industries, including jewelry, media, research services, healthcare, and more.
The group’s primary goal is to implant the BadIIS malware, which manipulates search engine crawlers and disrupts the SEO of affected sites. To achieve this, DragonRank exploits vulnerabilities in web application services, such as phpMyAdmin, WordPress, or similar web applications.
Once they gain control, they deploy a web shell, which allows them to collect system information, launch malware, and run various credential-harvesting utilities. The group also uses PlugX as their backdoor malware, a well-known backdoor used by multiple Chinese threat actors. They utilize DLL sideloading technique, exploiting vulnerable legitimate binaries to initiate the PlugX loader.
In its attack chain, the group also uses a user cloning utility tool to maintain a low profile, maintain persistence within infected networks, as well as to clone an administrator’s permissions to a guest account within compromised systems.
They also breach additional Windows IIS servers in the target’s network, either through the deployment of additional web shells or by exploiting remote desktop logins using stolen credentials.
Commercial Sale of Hacking Services
DragonRank operates a commercial website, offering white hat and black hat SEO services, including cross-site ranking, single-site ranking, parasite ranking, extrapolation ranking, and search result dominance. They claim to support large amounts of industry-wide advertising, covering over 200 countries and regions worldwide.
The group also shares their contact information on Telegram and the QQ instant message application, allowing users to contact them and conduct underground business trades.
The DragonRank hacking cluster may present a significant threat to global search engine optimization due to its wide-scale compromise of numerous IIS servers across various industries. Further, DragonRank tends to disrupt search rankings of affected companies, negatively impacting their online presence. It is essential for companies to stay aware of this threat and take necessary measures to secure their web application services and protect against these types of attacks.
