Skip to content

Servers hijacked to boost malicious sites in search rankings

  • by
  • 3 min read

Photo: Pixabay

A newly discovered cyber gang, dubbed DragonRank, is raising alarms across Asia and parts of Europe. This sophisticated operation involves deploying PlugX and BadIIS malware to manipulate search engine rankings by targeting more than 35 Windows Internet Information Services (IIS) servers to make phishing and other malicious websites gain online visibility.

DragonRank has cast a broad net, affecting industries from healthcare to agriculture and niche markets like feng shui. Researchers have discovered victims spanning Thailand, India, Korea, Belgium, and China.

Chinese-speaking threat actors typically use these tactics to exploit web application vulnerabilities and install web shells on corporate websites.

Once SEO manipulators gain access to a target server, they deploy the BadIIS crawlers, effectively hijacking the SEO of legitimate sites. This leads to higher rankings for scam websites, often promoting adult content or fraudulent material.

DragonRank attack chain explained. | Source: Cisco Talos

“The hacking group’s primary goal is to compromise Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware,” researchers explained. “BadIIS is a malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users.”

Researchers also discovered another backdoor, PlugX, as a key part of DragonRank’s operation. This malware has been known to be used by Chinese-speaking cyber threat actors.

By leveraging Windows’ Structured Exception Handling (SEH) mechanism, the group ensures that PlugX is loaded without triggering suspicion, making it a stealthy and persistent threat.

DragonRank’s black hat SEO techniques set it apart from traditional hacking groups. While many cybercriminals focus on overwhelming web servers to diver traffic, DragonRank emphasises privilege escalation and lateral movement within a network.

PlugX execution flow. | Source: Cisco Talos

The group not only manipulates search algorithms but also exploits them to drive traffic to malicious websites, tarnishing the online presence of compromised companies.

These SEO manipulation attacks can cause significant financial damage, harm brand reputations, and lead to legal consequences for companies whose websites are unknowingly used to promote fraudulent material.

“They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company’s online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices,” researchers said.

Researchers were surprised to learn that DragonRank operates more like a commercial business than a typical cybercrime group. When experts analysed their website, they found that the cyber crooks prompted both black hat and white hat SEO services, offering clients tailored promotional strategies.

Their ability to target specific languages and regions further highlighted their customised approach. This blend of criminal and business tactics demonstrates a growing trend in cybercrime, where hacking groups operate as service providers for illicit activities.

In the News: Cyber crooks exploit HTTP headers in massive phishing campaigns

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>