Windows Servers Hijacked to Boost Google Rankings for Dodgy Gambling Sites
A recent investigation by security researchers at ESET has revealed a sinister plot involving dozens of hijacked Windows servers being used to artificially boost the search engine rankings of shady gambling websites.
The operation, dubbed GhostRedirector, started targeting Windows servers in December 2024 and ultimately compromised at least 65 of them. Once inside, the attackers deployed a variety of tools, including two brand new pieces of malware: Rungan and Gamshen.
Meet Rungan and Gamshen
Rungan is a classic backdoor, designed to provide unauthorized access to infected servers. However, it's Gamshen that's the real game-changer – a malicious Internet Information Services (IIS) trojan that runs directly within a Windows web server, selectively modifying HTTP responses.
Gamshen is a malicious native IIS module that injects SEO content designed to artificially boost the gambling sites in Google search rankings. This trojan is particularly stealthy because regular visitors are unaffected, and victim sites only spot the intrusion after their SEO rankings plummet or Google flags the site for suspicious behavior.
The Targets
The majority of infected servers were located in Latin America and South Asia – Brazil, Peru, Thailand, and Vietnam. However, compromised servers were also discovered in the United States, with ESET believing the threat actors were primarily targeting South American and South Asian servers.
Interestingly, the hackers didn't seem to be targeting any particular industry, as attacks were seen in education, healthcare, insurance, transportation, technology, and retail verticals. This suggests that the goal was not to compromise specific sectors but rather to exploit vulnerabilities across a wide range of industries.
The Attack Vector
Initial access was probably achieved by exploiting an SQL injection bug, according to ESET. From there, the attackers deployed PowerShell to download Windows privilege escalation tools and droppers. Finally, they dropped Rungan and Gamshen for the final stage of the attack.
A Warning Sign
The use of a backdoor (Rungan) and an IIS trojan (Gamshen) highlights the sophistication and stealthiness of this attack. The fact that regular visitors are unaffected, while victim sites only spot the intrusion after their SEO rankings plummet, serves as a warning sign for businesses and individuals alike.
It's essential to stay vigilant and take proactive measures to protect your online presence from such threats. Regularly updating software, using strong passwords, and implementing robust security protocols can help mitigate the risk of such attacks.
Stay ahead of the threat landscape with TechRadar Pro's expert insights, news, and guidance. Sign up for our newsletter today!