Cybercrime , Fraud Management & Cybercrime

Chinese-Speaking Hackers Manipulate SEO Rankings Globally

Threat Actor Advertises SEO Services in Chinese and English
Chinese-Speaking Hackers Manipulate SEO Rankings Globally
Image: Shutterstock

A Chinese search engine optimization operation hacked more than 35 web servers and stole credentials in a campaign to boost the online rankings of malicious porn sites.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Researchers from Cisco Talos dubbed the threat cluster DragonRank and said that it advertises search engine optimization services - legal and illegal - in Chinese and English. Its Black SEO offerings include compromising web servers, injecting hidden link or keywords into legitimate websites and creating backlinks to malicious sites. An online domain associated with the operation, tttseo.com, doesn't resolve to a website.

The backlinks artificially boost the search engine performance of the malicious sites, increasing the chances of unsuspecting users visiting them and being tricked into providing sensitive information or downloading malware. Web servers hacked during this campaign span the globe and include victims in Thailand, India, Korea, Belgium, the Netherlands and China.

DragonRank's primary goal is to penetrate web servers and drop BadIIS malware - the IIS stands for Internet Information Services, Microsoft's extensible web server - in order to execute SEO manipulation. It hides communications to a command-and-control server by mimicking the Google search engine crawler in its User-Agent string.

Getting into servers begins with DragonRank hackers looking for vulnerabilities in web application services, such as phpMyAdmin and WordPress. They deploy a web shell and proceed to collect system information and download additional malware, using utilities such as Mimikatz, BadPotato and GodPotato. Hackers deploy credential harvesting tools to move laterally into networks. DragonRink's malware arsenal includes PlugX, which uses DLL sideloading techniques and the Windows Structured Exception Handling mechanism to avoid detection. PlugX's persistence within infected systems allows the group to maintain control without raising suspicion.

Cisco Talos linked DragonRank's activities to Simplified Chinese-using threat actors who have found customers by advertising on legitimate websites. The threat actor also offers services for bulk posting on social media platforms, researchers said.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.