GhostRedirector: 65+ Windows Servers Compromised to Run SEO-Fraud IIS Malware

ESET uncovered a new threat cluster dubbed GhostRedirector that compromised at least 65 Windows servers (mainly in Brazil, Thailand, and Vietnam) to install a passive C++ backdoor (“Rungan”) and a malicious IIS module (“Gamshen”). The goal wasn’t ransomware—it was SEO fraud as-a-service: the IIS module quietly altered HTTP responses only for Googlebot, creating artificial backlinks to boost third-party (likely gambling) sites. Initial access likely came from SQL injection, followed by PowerShell-delivered tools, local privilege escalation using BadPotato/EfsPotato, and creation of rogue admin users for persistence. ESET assesses medium confidence the actor is China-aligned (hard-coded Chinese strings, China code-signing cert, “huang” password).

 

What happened (Key Points)

  • Scope: ≥65 Windows servers compromised; victims span education, healthcare, insurance, transport, tech, retail; activity seen since Aug–Dec 2024 and measured in June 2025 scans.

Malware duo:

  • Rungan – passive C/C++ backdoor that waits for specific HTTP patterns and then executes attacker commands.

  • Gamshennative IIS module that modifies responses for Googlebot to manipulate rankings (SEO fraud).

  • Access & Persistence: Probable SQLi → PowerShell download from 868id[.]com; BadPotato/EfsPotato for LPE; GoToHTTP for remote access; rogue admin users 

  • Attribution: New cluster (not previously named), assessed China-aligned (Chinese strings, TrustAsia-signed tools, password “huang”).

 

Technical Analysis

Initial Access & Tool Delivery

  • Likely vector: SQL injection against public-facing apps, evidenced by PowerShell executions originating from sqlserver.exe/xp_cmdshell. Downloads pulled from a staging domain: 868id[.]com (subdomains xz / xzs). CertUtil sometimes used.

Privilege Escalation & Persistence

  • LPE: BadPotato / EfsPotato variants, often .NET Reactor-obfuscated, sometimes code-signed by TrustAsia RSA Code Signing CA G3 for Shenzhen Diyuan Technology Co., Ltd. (thumbprint BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C).

 

Backdoor: “Rungan”

  • Install path: C:\ProgramData\Microsoft\DRM\log\miniscreen.dll

  • C2 trigger: registers http://+:80/v1.0/8888/sys.html via HTTP Server API (bypasses IIS).

  • Config file (optional): C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\vbskui.dll (adds more URL patterns).

  • Core cmds: mkuser, listfolder (unfinished), addurl, cmd (uses CreateProcessA).

  • Crypto: AES-CBC for string decryption (hard-coded key/IV noted by ESET).

IIS Malware: “Gamshen”

  • Type: Native IIS module (C/C++) in the “Group 13” family of IIS malware.

  • Behavior: Intercepts requests and alters responses only for Googlebot, creating backlinks—similar in concept to IISerpent.

Auxiliary Tools

  • GoToHTTP (legit remote-access tool) for browser-based access.

  • Zunput / SitePuts.exe: enumerates IIS sites and drops multi-language web shells (ASP, PHP, JS) with randomized names and uncommon extensions (e.g., .cer, .pjp).

  • Web shell names observed: C1.php, Cmd.aspx, Error.aspx, K32.asxp, K64.aspx, LandGrey.asp; randomized names like Xml, Ajax, Sync, Loadapi, Loadhelp, Code, Jsload, Loadcss, Loadjs, Pop3, Imap, Api with .cer/.pjp/.asp/.aspx.

Victimology & Intent

  • Countries: Heaviest in Brazil, Thailand, Vietnam; also Peru, U.S. (hosting), Canada, Finland, India, Netherlands, Philippines, Singapore.

  • Sectors: Broad and opportunistic.

  • Monetization: SEO fraud pushing gambling sites.

MITRE ATT&CK (selected)

  • Initial Access: Exploit Public-Facing App (T1190) – likely SQLi.

  • Execution: Command Shell / PowerShell (T1059).

  • Privilege Escalation: Exploitation for Privilege Escalation (T1068) via BadPotato/EfsPotato.

  • Persistence: Create Account (T1136); Server-Side Component (IIS module) (T1505).

  • Defense Evasion: Signed Binary/Code Signing (T1553.002); Obfuscated/Compressed Files (T1027).

  • Command & Control: Web Protocols / application-layer over HTTP (Rungan’s passive trigger).

  • Discovery/Lateral: Website enumeration and shell dropping (tool “Zunput”).

Indicators of Compromise (IOCs)

Network / Domains

  • Staging:

    • 868id[.]com (and subdomains xz.868id[.]com, xzs.868id[.]com)

    • cs01[.]shop (hardcoded in Comdai component)

  • Rungan passive URL pattern:

    • http://+:80/v1.0/8888/sys.html (HTTP Server API listener)

Usernames / Strings

  • Created/modified users: MysqlServiceEx, MysqlServiceEx2, Admin, sometimes Guest password reset + RID hijack

  • Pipe name: salamander_pipe

  • Password string observed in samples: “huang” (not to be used defensively alone).

Filenames / Paths

  • C:\ProgramData\Microsoft\DRM\log\miniscreen.dll (Rungan backdoor)

  • C:\ProgramData\Microsoft\DRM\log\ManagedEngine64.dll (Gamshen IIS module)

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\vbskui.dll (Rungan config)

  • Downloaded LPE tools & helpers in C:\ProgramData\*.exe

  • Web shells dropped into IIS site physical paths; extensions may include .cer, .pjp, .asp, .aspx.

Hashes / Samples (SHA-1, per ESET)

  • Rungan backdoor: 28140A5A29EBA098BC6215DDAC8E56EACBB29B69

  • Comdai (Common.Global.DLL): 049C343A9DAAF3A93756562ED73375082192F5A8

  • Zunput / SitePuts.exe: EE22BA5453ED577F8664CA390EB311D067E47786

  • EfsNetAutoUser.exe (EfsPotato-based): 677B3F9D780BE184528DE5967936693584D9769A

  • NetAutoUser.exe (BadPotato-based): 5D4D7C96A9E302053BDFAF2449F9A2AB3C806E63

  • Aug-2024 related sample: 21E877AB2430B72E3DB12881D878F78E0989BB7F

  • Alt LPE/web-shell dropper: 9DD282184DDFA796204C1D90A46CAA117F46C8E1

  • Guest-password variant: 5A01981D3F31AF47614E51E6C216BED70D921D60

Certificates

  • TrustAsia RSA Code Signing CA G3Shenzhen Diyuan Technology Co., Ltd.

    • Thumbprint: BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C 

Hardening (short term)

  • Disable xp_cmdshell unless absolutely required; enforce least privilege for SQL service accounts.

  • Patch/virtual-patch SQL injection vectors; place WAF rules for common SQLi patterns.

  • Block unsigned PowerShell; enable Script Block Logging (4104) and Module Logging (4103); alert on powershell or certutil pulling from 868id[.]com.

  • CI/CD and admin policy to ban non-approved IIS modules; integrity monitor %windir%\System32\inetsrv\ and IIS config.

Longer-term

  • Application security: robust input validation, parameterized queries, DAST+SAST, and RASP where feasible.

  • Certificate control: treat unexpected TrustAsia-signed admin tools as malicious in your environment.

  • SEO hygiene: if you host public sites, monitor for suspicious backlink bursts or crawler-only content

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

How to perform a Man-in-the-middle (MITM) attack with Kali Linux

Image
Learn how to perform a Man in the middle attack with arpspoof, driftnet and urlsnarf in Kali Linux In this article, you will learn how to perform a MITM attack to a device that's connected in the same Wi-Fi networks as yours. Requirements This article assumes that you know what is a network interface and you know to how to work with Kali Linux and the command line. Before starting, you will need to know the name of the Network interface (installed on your machine) and the IP of the router that provides Wi-Fi access. The Network Interface Name can be easily obtained as running the ifconfig command on a terminal, then from the list copy the name of the interface that you want to use. The IP of the router can be obtained executing ip route show on a terminal and a message like "default via [This is the router IP]". From the victim, you will only need the IP (the user needs to be connected to the network provided by the router). The process of obtaining the device IP of the v...
Read more