Researchers identified a "DragonRank" campaign targeting countries in Asia and Europe. This group exploits web application services to deploy web shells and malware like PlugX and BadIIS, primarily for manipulating search engine rankings. The campaign has affected more than 35 IIS servers across various industries. DragonRank’s commercial activities suggest it is operated by a Simplified Chinese-speaking actor, engaging in both SEO manipulation and black hat SEO practices.
DragonRank compromises Windows IIS servers by exploiting vulnerabilities in web application services like phpMyAdmin and WordPress. They deploy a web shell, such as the open-source ASPXSpy, to gain initial control over the server. From this foothold, they launch malware including PlugX and BadIIS. PlugX, found to be using DLL sideloading technique, uses the Windows Structured Exception Handling (SEH) mechanism to load itself stealthily. It searches for its payload in specific registry locations, decrypts it using XOR with the key "0xD1," and injects it into memory to avoid detection.
BadIIS manipulates search engine crawlers to alter HTTP responses from compromised IIS servers. It is used for SEO fraud, redirecting traffic to scam websites by leveraging the credibility of the breached server. DragonRank employs various tools and utilities for credential harvesting, lateral movement, and privilege escalation, including Mimikatz, PrintNotifyPotato, and others. They also use a web shell or RDP to maintain persistence on additional breached IIS servers within the target network.