Cisco Talos discover a new cyber threat known as "DragonRank." This sophisticated threat actor primarily targets countries in Asia and a select few in Europe, utilizing advanced malware such as PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

DragonRank exploits vulnerabilities in web application services to deploy web shells, which are then used to gather system information and launch malicious payloads. Their arsenal includes the PlugX malware, which employs familiar sideloading techniques and leverages the Windows Structured Exception Handling (SEH) mechanism to ensure seamless and undetected execution. Additionally, they deploy BadIIS malware across compromised IIS servers, running various credential-harvesting utilities.

Our research has confirmed that over 35 IIS servers have been compromised in this campaign, with infections spreading across diverse geographic regions, including Thailand, India, Korea, Netherlands, and China. Furthermore, Talos has uncovered DragonRank’s commercial website, business model, and instant message accounts, leading us to assess with medium to high confidence that the group operates under a Simplified Chinese-speaking actor.

This session will delve into the tactics, techniques, and procedures (TTPs) employed by DragonRank, providing valuable insights into their operations and methods. We will also discuss the implications of this threat and offer guidance on how to bolster defenses against such sophisticated cyber attacks.