A new cyber threat dubbed “DragonRank” is actively targeting countries across Asia and Europe. Discovered by Cisco Talos, the sophisticated campaign leverages malicious tools like PlugX and BadIIS to exploit web application services and manipulate SEO rankings.
DragonRank primarily focuses on compromising Windows Internet Information Services (IIS) servers, with confirmed attacks in countries including Thailand, India, Korea, Belgium, the Netherlands, and China.
The tool uses search engine optimization (SEO) manipulation to disrupt online visibility and rankings. Its authors exploit vulnerabilities in web applications to deploy web shells, which allow them to gain unauthorized access to compromised servers.
From there, they launch malware, including PlugX and BadIIS, to steal credentials and embed themselves deeper within systems. PlugX is particularly insidious, using Windows Structured Exception Handling (SEH) mechanisms to obfuscate itself from security tools.
Cisco Talos has identified over 35 compromised IIS servers across a range of industries, from media and healthcare to IT services and manufacturing. The BadIIS malware on these servers allows attackers to alter search engine algorithms, driving unsuspecting users to scam websites. These sites frequently feature fraudulent content related to pornography and other malicious activities.
A Commercial Enterprise
Talos investigators also uncovered the commercial arm of DragonRank’s operation. The hacking group offers SEO services—both legitimate and black-hat—from its website. They promote unethical practices such as cross-site ranking and parasite ranking to boost a client’s online visibility through unethical means. Their business model features targeted promotions for specific regions and languages, expanding the group’s global reach.
Evidence has linked DragonRank’s activities to a Simplified Chinese-speaking actor. Talos’s analysis also revealed that DragonRank uses communication platforms like Telegram and QQ to carry out its business and interact with customers, cementing its role as a profit-driven cybercrime entity.
Expanding Attack Capabilities
Beyond SEO manipulation, DragonRank has been engaging in lateral movement and privilege escalation within compromised networks. It infiltrates servers using Remote Desktop Protocol (RDP) and web shells to ensure long-term persistence and deeper access to targeted systems.
Cisco Talos has assessed that DragonRank is relatively new to the black-hat SEO industry but has adapted quickly. The sophisticated malware it uses (PlugX, in particular) has been used by many Chinese cyber threat actors before. However, the group’s use of SEH to evade detection is a new twist.
The Road Ahead
While the full extent of DragonRank’s operations is yet to be determined, Talos says it is monitoring its activities. The group’s ability to compromise a wide range of industries and nations means its reach could expand further.
Cisco Talos urges organizations, particularly those running Windows IIS servers, to strengthen their security measures and remain vigilant against these types of attacks.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.