Security researchers at ESET have identified a new hacking group known as GhostRedirector, which is employing advanced tactics to target Windows servers. This group aims to manipulate search engine rankings through a service dubbed SEO fraud.<\/p>\n
GhostRedirector uses custom tools, specifically a malware called Rungan, which installs a backdoor on compromised machines, providing the hackers with access for continued exploitation. If detected, they can deploy additional malware to regain control. Another tool in their arsenal, Gamshen, is a malicious Internet Information Services (IIS) module that alters the server\u2019s responses to search engine crawlers, specifically Googlebot.<\/p>\n
In addition to their proprietary software, this group exploits publicly known vulnerabilities like EfsPotato and BadPotato, which enable them to create administrative-level user accounts. With these accounts, they can deploy their malicious tooling to pursue their SEO fraud objectives.<\/p>\n
Once they establish control, the compromised server routes Googlebot’s requests to a command-and-control server operated by the hackers. This server then responds with misinformation, redirecting the crawler to a third-party site rather than providing legitimate results from the affected server.<\/p>\n
Currently, users visiting websites impacted by GhostRedirector should not face direct harm, as the group has not yet sought to inject malicious software onto these users\u2019 machines.<\/p>\n
ESET researchers are proactively reaching out to potentially affected Windows server owners, encouraging them to update their systems and purge the infections to mitigate any future risks.<\/p>\n