Hackers are taking advantage of vulnerable servers to take over websites, and use them to steal people’s credentials, deploy malware, and more.
A report from Cisco Talos, who have been tracking the activity for some time now, revealed the group would first seek out vulnerable web application services such as phpMyAdmin, WordPress, or similar. Then, they would use the vulnerabilities to deploy a web shell which grants them control over the server.
Finally, the web shell allows them to collect system information, or deploy additional malware such as PlugX, or BadIIS, or to run different infostealers such as Mimikatz, GodPotato, and others. To get people to visit the infected websites, the group uses SEO poisoning, pushing the sites higher up on search engine results pages.
DragonRank
The researchers are dubbing the new threat “DragonRank”. They believe the group is targeting mostly organizations in Asia, with a few victims found in Europe, as well. So far, the malware was spotted in Thailand, India, Korea, Belgium, the Netherlands, and China.
The victims come from all sorts of industries, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international affairs, agriculture, sports, and even niche markets like feng shui.
All of this leads the researchers to conclude that DragonRank doesn’t really have a particular target and just looks to compromise as many organizations as possible.
So far, more than 35 IIS servers were compromised, and deployed the BadIIS malware, the researchers concluded. BadIIS was first discovered in 2020, and it acts as a backdoor that grants unauthorized access to compromised servers. One of its key features is stealth, since it uses advanced techniques to evade detection.
Since the group has a commercial website, a business model, and instant message accounts, the researchers concluded that the group is most likely of Chinese origin.
More from TechRadar Pro
- SEO poisoning and VPN spoofing used to target anything and everything with WikiLoader malware
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now