Threat Research

DragonRank: Chinese-Speaking SEO Optimization Service

Talos

Cisco Talos identifies DragonRank, a threat actor cluster that targets web application services across Asia and parts of Europe, using PlugX and BadIIS to manipulate SEO rankings and deploy web shells for data collection and malware execution. The group appears to operate with Simplified Chinese-speaking actors and has compromised over 35 IIS servers, promoting black hat SEO services and targeting multiple industries.

Keypoints

  • DragonRank focuses on web application services in Asia and Europe.
  • It uses PlugX and BadIIS malware to manipulate SEO rankings and deploy web shells.
  • Vulnerabilities in phpMyAdmin, WordPress, and similar web apps are exploited to gain access.
  • More than 35 IIS servers across various countries have been compromised.
  • The group markets both white hat and black hat SEO services as a business model.
  • Web shells are used to collect system information and launch credential-harvesting utilities.
  • Lateral movement and privilege escalation are employed within compromised networks; actor ties to Simplified Chinese-speaking groups.

MITRE Techniques

  • [T1078] Valid Accounts – Exploits remote desktop logins using acquired credentials. – “Exploits remote desktop logins using acquired credentials.”
  • [T1203] Exploitation for Client Execution – Deploys web shells on compromised servers. – “Deploys web shells on compromised servers.”
  • [T1547] Boot or Logon Autostart Execution – Uses registry run keys for persistence. – “Uses registry run keys for persistence.”
  • [T1068] Exploitation for Privilege Escalation – Clones administrator permissions to a guest account. – “Clones administrator permissions to a guest account.”
  • [T1003] Credential Dumping – Utilizes tools like Mimikatz for credential harvesting. – “Utilizes tools like Mimikatz for credential harvesting.”
  • [T1071] Application Layer Protocol – Uses HTTP/HTTPS for C2 communications. – “Uses HTTP/HTTPS for C2 communications.”
  • [T1041] Exfiltration Over C2 Channel – Collects and sends data back to C2 servers. – “Collects and sends data back to C2 servers.”

Indicators of Compromise

  • [Domain] tttseo.com, admin1.tttseo.com – C2/download sites and hosted tools used by DragonRank for SEO manipulation and payload distribution
  • [URL] http://35.247.175.184:443/1.aspx, http://admin1.tttseo.com/ht.zip – C2/downloads and payload delivery indicators
  • [Hash] 046a03725df3104d02fa33c22e919cc73bed6fd6a905098e98c07f0f1b67fadb, 785d92dc175cb6b7889f07aa2a65d6c99e59dc1bbc9edb8f5827668fd249fa2e – PlugX/loader payloads referenced in Pivot/ VirusTotal data
  • [File] IISMODEx86.dll, IISMODEx64.dll – BadIIS-related modules observed on compromised IIS servers
  • [URL] http://ddos.tttseo.com/ddos/ddos.zip, http://a.googie.pw/xx1.php?host=www[REDACTED].com – BadIIS/SEO deception artifacts and redirection patterns
  • [Domain] mail.tttseo.com – C2 address configured in PlugX configuration

Read more: https://blog.talosintelligence.com/dragon-rank-seo-poisoning/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint