Security researchers at ESET have identified a new hacking group known as GhostRedirector, which is employing advanced tactics to target Windows servers. This group aims to manipulate search engine rankings through a service dubbed SEO fraud.
GhostRedirector uses custom tools, specifically a malware called Rungan, which installs a backdoor on compromised machines, providing the hackers with access for continued exploitation. If detected, they can deploy additional malware to regain control. Another tool in their arsenal, Gamshen, is a malicious Internet Information Services (IIS) module that alters the server’s responses to search engine crawlers, specifically Googlebot.
In addition to their proprietary software, this group exploits publicly known vulnerabilities like EfsPotato and BadPotato, which enable them to create administrative-level user accounts. With these accounts, they can deploy their malicious tooling to pursue their SEO fraud objectives.
Once they establish control, the compromised server routes Googlebot’s requests to a command-and-control server operated by the hackers. This server then responds with misinformation, redirecting the crawler to a third-party site rather than providing legitimate results from the affected server.
Currently, users visiting websites impacted by GhostRedirector should not face direct harm, as the group has not yet sought to inject malicious software onto these users’ machines.
ESET researchers are proactively reaching out to potentially affected Windows server owners, encouraging them to update their systems and purge the infections to mitigate any future risks.
For more details regarding this hacking group’s activities and the tools they’ve employed, please refer to the relevant ESET Research article.