- Chinese Group Ghostredirector kidnapped at least 65 Windows servers to increase gambling sites with Google Rankings shadows
- They used two new tools: Rungan and GamShen
- The attacks hit servers mainly in Latin America and South Asia, probably through SQL injection, in multiple industries
Doctors of Windows servers have been kidnapped by a Chinese piracy group to boost Google classifications for gambling websites with shadows, experts have found.
ESET security researchers have outlined the work called Ghostredirector, who began to go to Windows servers in December 2024, compromising at least 65 of them. After breaking into a server, they would implement a variety of tools, including two new pieces of malware, called Rungan and GamShen.
Rungan is a classic back door, while GamShen is the one that makes the search engine impulse. East describes it as a malicious Internet information trustee (ISS), which is not malware in the traditional sense, but a malicious NSS Module that runs directly inside a Windows web server, selectively modifying HTTP responses, but only for Google web tracker, Googlebot.
South America and South Asia attacked
The objective is to injective setting or SEO content designed to artificially boost game sites in Google search classifications.
What makes this Trojan particularly stealthy is the fact that regular visitors are not affected, and the victims’ sites will only detect the intrusion after their SEO classifications collide, or Google marks the site for suspicious behavior.
Most of the infected servers were located in Latin America and South Asia: Brazil, Peru, Thailand and Vietnam. Committed servers were also discovered in the United States, but ESET believes that threat actors were mainly attacking South American and southern Asia servers.
Computer pirates do not seem to be pointing to any particular industry, since the attacks were seen in education, medical care, transport, technology and retail verticals.
The initial access was probably exploited by an SQL injection error, ESET concluded. From there, Powershell implemented to download Windows and Goteros privilege escalation tools. From there, Rungan and GamShen dropped for the final stage of the attack.
Through The registration
