Hackers are exploiting vulnerable servers to take over websites to steal people’s login credentials, spread malware, and more.
A report from Cisco Talos, who have been tracking the activity for a while, revealed that the group first looked for vulnerable web application services such as phpMyAdmin, WordPress or the like. They then used the vulnerabilities to implement a web shell that gave them control over the server.
Finally, the web shell allows them to collect system information, or deploy additional malware such as PlugX or BadIIS, or run various infostealers such as Mimikatz, GodPotato, and others. In order to trick people into visiting the infected websites, the group uses SEO poisoning, which increases the sites’ rankings on search engine results pages.
DragonRank
The researchers call the new threat “DragonRank.” They believe the group is primarily targeting organizations in Asia, with a few victims in Europe. So far, the malware has been spotted in Thailand, India, Korea, Belgium, the Netherlands, and China.
Victims come from a variety of sectors, including jewelry, media, research services, healthcare, video and television production, manufacturing, transportation, religious and spiritual organizations, IT services, international business, agriculture, sports and even niche markets such as feng shui.
All of this leads researchers to conclude that DragonRank doesn’t really have a specific target and just wants to compromise as many organizations as possible.
So far, more than 35 IIS servers have been compromised and the BadIIS malware deployed, the researchers concluded. First discovered in 2020, BadIIS acts as a backdoor that provides unauthorized access to compromised servers. One of its key features is stealth, as it uses advanced techniques to evade detection.
Because the group had a commercial website, a business model, and instant messaging accounts, researchers concluded that the group was most likely of Chinese origin.