DragonRank, a Chinese-speaking SEO manipulator service provider

    Thursday, September 12, 2024 In: Threat Research Print

    Date: 09/12/2024

    Severity: Medium

    Summary

    DragonRank is a service provider specializing in SEO manipulation for Chinese-speaking markets. They offer strategies and tools to enhance website rankings and online visibility through techniques that might involve optimizing content, leveraging backlinks, and employing various tactics to influence search engine algorithms. Their focus is on the Chinese-speaking audience, catering to businesses and individuals seeking to improve their online presence in Chinese-language search engines.DragonRank exploits vulnerabilities in targeted web application services to deploy a web shell. They then use this access to gather system information and deploy malware like PlugX and BadIIS, running various tools to harvest credentials.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://b.googie.pw/zz1.php

    http://a.googie.pw/zz1.php

    http://b.googie.pw/xx1.php

    http://a.googie.pw/xx1.php

    http://www.googie.pw/xx1.php

    http://web.googie.pw/zz1.php

    http://ddos.tttseo.com/ddos/ddos.zip

    http://35.247.175.184:443/1.aspx

    https://admin1.tttseo.com/ht.zip

    http://ddos.tttseo.com/ddos/ddos.zip 

    mail.tttseo.com

    http://www.ig26.com/xx1.php

    http://www.ig26.com/zz1.php

    http://www.yx52.pw/xx1.php

    http://www.yx52.pw/zz1.php

    IPAddress

    202.162.108.48

    Hash

    fd0dd6c05be458e18640db3eaaa9f6d259c1224f244110595b0a634fffacadf9

0ab7e992aa85a0e23d9a7ee1e3928eb2015c0733d7fb324bf8b0c0e3c65d500b

b76ef88a61f6cb0189358a0b4268a6828054bdcd6e0bf7dff2af491d7542beaf

94b323eaf06ea503bf0157c575128e46083257b8ee71d4e5faa7ca4d38e50f8c

d802ac7ad043e24db3c640b1364da79973eac2025f647654972a544d5a2740dd

30080323573618d9463351c471b1bb577de8ee40cdd5fc915daf14a25737a67f

ad7773cb9e55e4c37bed2bb34a9e695c8965cc12c75b3da5e12f868fc1c78a52

45f21f20af0482092cdcc9d00c0657f000fac3c31fc3aeebe78ee1a397b914b3

e3db221308873ae75ef124484688f303c7eb6af1ac1ed5f7fbbdcfcda7d8cf80

c8cfb43414cd425eede08a6267a0cdf3789175dfba95a903ee9dfa0ae2e94a8b

7dd1307fd65599600a5056ae867c373333ae265f6fa29dc02ec697916159ed84

875239000f22cff75f62f9a1aa9924a8c3fea72124b0c4b31c7b3814f9dc0601

8251189e8b596743683f2ab2d731eb19efe3e4e28ac5c100ea88cfdc36aeeac8

614920f1a8550070a983f2ad22d6358c6742a9e02802b025eeea8db8c3d41fb7

96d5f775fca96cfe092e94bd1b978be215fd3d52e0fe1cc15bc61d787c122c85

c41587c393741e78b678f1fc3d7934859a306c4cc4c0b02ca08d596289caeff4

74063aeff534b824ad3f505431e56875c1fd73dfd95be7972defaf0719120406

3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb

e9a9f3c7321d83e781c00eed712f9ecffc2024fd41ee1e45bc77d2ff8b1264d1

6e5eb43b81f103e4926be92d6bef9048bfa042bddb95a1ad3245230df0e04d22

8714970129d26b5967552190c540f3f7579a818c60cc4f587ebfe51d833a1a06

3424b3c334bc28a299617739764458733bb38132e1403ef69985e4beb0dc40f2

3f17c66aab154212fb02fc7e329296c233aebe4abd9248204fa99c490c113a6e

b3aa822a7349d95c2210598b95fa8e85c1ce0f22acdf10611a31e3e82c84ed33

206c9e66f337fbf0611e172217b550b9f8f25cc807e478910c872856c32eb741

0ab7e992aa85a0e23d9a7ee1e3928eb2015c0733d7fb324bf8b0c0e3c65d500b

f2c5c7d65752a2fdf94466d36fbeee720f060aa140a89530322732d3385fb3db

839b8532681df355271cd5fdbf0c0d09bef9c8cbbfa98d3fe9727afa670c30e7

ffa94d76d4423e43a42c7944c512e1a71827a89ad513d565f82eb8fe374ef74d

fd0dd6c05be458e18640db3eaaa9f6d259c1224f244110595b0a634fffacadf9

1749b814522ba5dc141b399ee8f04616d72bfdfdd8ab8ebab6c9d494a378cbfc

373d95685d0fd184aa4d5e47f7b1eb1848badef4fc9db46415f858f37eb20eee

2c635e82f71944444b8dcc08949ff7c0ac5f04f78cfcb86410d9f61c63accf4d

72fc4ba4d8e9a7b11fa0b76611e85b7aaf3558ac08dc8e9628fad48d72fb8190

9277f848a5348e447e02cf94beae392815a235264443fdd69a3ff6eb48f040a8

9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28

dcbe7748ceaec2ff72e9d8afa568973658534695527bd6762c05d8b9ed596f16

b24b47faa11b18a4e67fcffc05265b51bab2cf7732c66f6695ce10e89d61fcb7

8627cc34ab2c713ecf5d4d171a32325eb69b140542cdd36d7eca46c19e310253

99ab43bf8a9934d01ba9ec6203c95e3c16e6c0dfc633538ab29795ba979b4adf

b9faf82542bbaca124ef80f58ee55a866ee10481fa30419c89f112d7bb4a9815

cdc9f18de75991e7b289ab26b32dca9f4de6f95f88a6d3d32c87a111c4dc4d18

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "http://b.googie.pw/zz1.php" or url like "http://b.googie.pw/zz1.php" or userdomainname like "http://a.googie.pw/zz1.php" or url like "http://a.googie.pw/zz1.php" or userdomainname like "http://b.googie.pw/xx1.php" or url like "http://b.googie.pw/xx1.php" or userdomainname like "http://a.googie.pw/xx1.php" or url like "http://a.googie.pw/xx1.php" or userdomainname like "http://www.googie.pw/xx1.php" or url like "http://www.googie.pw/xx1.php" or userdomainname like "http://web.googie.pw/zz1.php" or url like "http://web.googie.pw/zz1.php" or userdomainname like "http://ddos.tttseo.com/ddos/ddos.zip" or url like "http://ddos.tttseo.com/ddos/ddos.zip" or userdomainname like "mail.tttseo.com" or url like "mail.tttseo.com" or userdomainname like "http://www.ig26.com/xx1.php" or url like "http://www.ig26.com/xx1.php" or userdomainname like "http://www.ig26.com/zz1.php" or url like "http://www.ig26.com/zz1.php" or userdomainname like "http://www.yx52.pw/xx1.php" or url like "http://www.yx52.pw/xx1.php" or userdomainname like "http://www.yx52.pw/zz1.php" or url like "http://www.yx52.pw/zz1.php"

    IPAddress

    dstipaddress IN ("202.162.108.48") or ipaddress IN ("202.162.108.48") or publicipaddress IN ("202.162.108.48") or srcipaddress IN ("202.162.108.48")

    Hash

    Query 1

    sha256hash IN ("fd0dd6c05be458e18640db3eaaa9f6d259c1224f244110595b0a634fffacadf9","0ab7e992aa85a0e23d9a7ee1e3928eb2015c0733d7fb324bf8b0c0e3c65d500b","b76ef88a61f6cb0189358a0b4268a6828054bdcd6e0bf7dff2af491d7542beaf","94b323eaf06ea503bf0157c575128e46083257b8ee71d4e5faa7ca4d38e50f8c","d802ac7ad043e24db3c640b1364da79973eac2025f647654972a544d5a2740dd","30080323573618d9463351c471b1bb577de8ee40cdd5fc915daf14a25737a67f","ad7773cb9e55e4c37bed2bb34a9e695c8965cc12c75b3da5e12f868fc1c78a52","45f21f20af0482092cdcc9d00c0657f000fac3c31fc3aeebe78ee1a397b914b3","e3db221308873ae75ef124484688f303c7eb6af1ac1ed5f7fbbdcfcda7d8cf80","c8cfb43414cd425eede08a6267a0cdf3789175dfba95a903ee9dfa0ae2e94a8b","7dd1307fd65599600a5056ae867c373333ae265f6fa29dc02ec697916159ed84","875239000f22cff75f62f9a1aa9924a8c3fea72124b0c4b31c7b3814f9dc0601","8251189e8b596743683f2ab2d731eb19efe3e4e28ac5c100ea88cfdc36aeeac8","614920f1a8550070a983f2ad22d6358c6742a9e02802b025eeea8db8c3d41fb7","96d5f775fca96cfe092e94bd1b978be215fd3d52e0fe1cc15bc61d787c122c85","c41587c393741e78b678f1fc3d7934859a306c4cc4c0b02ca08d596289caeff4","74063aeff534b824ad3f505431e56875c1fd73dfd95be7972defaf0719120406","3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb","e9a9f3c7321d83e781c00eed712f9ecffc2024fd41ee1e45bc77d2ff8b1264d1","6e5eb43b81f103e4926be92d6bef9048bfa042bddb95a1ad3245230df0e04d22","8714970129d26b5967552190c540f3f7579a818c60cc4f587ebfe51d833a1a06")

    Hash

    Query 2

    sha256hash IN ("3424b3c334bc28a299617739764458733bb38132e1403ef69985e4beb0dc40f2","3f17c66aab154212fb02fc7e329296c233aebe4abd9248204fa99c490c113a6e","b3aa822a7349d95c2210598b95fa8e85c1ce0f22acdf10611a31e3e82c84ed33","206c9e66f337fbf0611e172217b550b9f8f25cc807e478910c872856c32eb741","0ab7e992aa85a0e23d9a7ee1e3928eb2015c0733d7fb324bf8b0c0e3c65d500b","f2c5c7d65752a2fdf94466d36fbeee720f060aa140a89530322732d3385fb3db","839b8532681df355271cd5fdbf0c0d09bef9c8cbbfa98d3fe9727afa670c30e7","ffa94d76d4423e43a42c7944c512e1a71827a89ad513d565f82eb8fe374ef74d","fd0dd6c05be458e18640db3eaaa9f6d259c1224f244110595b0a634fffacadf9","1749b814522ba5dc141b399ee8f04616d72bfdfdd8ab8ebab6c9d494a378cbfc","373d95685d0fd184aa4d5e47f7b1eb1848badef4fc9db46415f858f37eb20eee","2c635e82f71944444b8dcc08949ff7c0ac5f04f78cfcb86410d9f61c63accf4d","72fc4ba4d8e9a7b11fa0b76611e85b7aaf3558ac08dc8e9628fad48d72fb8190","9277f848a5348e447e02cf94beae392815a235264443fdd69a3ff6eb48f040a8","9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28","dcbe7748ceaec2ff72e9d8afa568973658534695527bd6762c05d8b9ed596f16","b24b47faa11b18a4e67fcffc05265b51bab2cf7732c66f6695ce10e89d61fcb7","8627cc34ab2c713ecf5d4d171a32325eb69b140542cdd36d7eca46c19e310253","99ab43bf8a9934d01ba9ec6203c95e3c16e6c0dfc633538ab29795ba979b4adf","b9faf82542bbaca124ef80f58ee55a866ee10481fa30419c89f112d7bb4a9815","cdc9f18de75991e7b289ab26b32dca9f4de6f95f88a6d3d32c87a111c4dc4d18")

    Reference: 

    https://blog.talosintelligence.com/dragon-rank-seo-poisoning/

    https://github.com/Cisco-Talos/IOCs/blob/main/2024/09/DragonRank%2C%20a%20Chinese-speaking%20SEO%20manipulator%20service%20provider.txt


    Tags

    MalwareExploitation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.