Hackers have launched a new cyber campaign, known as “DragonRank,” exploiting vulnerabilities in web servers to hijack websites for malicious purposes, including credential theft and malware deployment.
According to a report by Cisco Talos, the attack begins with identifying weaknesses in web applications such as phpMyAdmin, WordPress, and other similar services. The attackers then deploy a web shell, which grants them control over the compromised server.
With access provided by the web shell, the hackers can gather system information, install additional malware like PlugX and BadIIS, or use infostealers such as Mimikatz and GodPotato. To drive traffic to these infected sites, the attackers employ SEO poisoning, which boosts the sites’ rankings on search engines.
The DragonRank threat primarily targets organizations across Asia, but has also impacted entities in Europe. Victims have been identified in Thailand, India, South Korea, Belgium, the Netherlands, and China. The range of affected sectors is broad, including jewelry, media, research, healthcare, video production, manufacturing, transportation, religious organizations, IT services, international affairs, agriculture, sports, and even niche markets like feng shui.
The research indicates that DragonRank does not focus on specific industries but aims to compromise as many organizations as possible. To date, over 35 IIS servers have been compromised, with BadIIS malware being deployed. BadIIS, discovered in 2020, functions as a stealthy backdoor, using sophisticated techniques to evade detection and maintain unauthorized access to the servers.
You Might Be Interested In
