GhostRedirector

GhostRedirector is a threat group that compromises Windows servers using a C++ backdoor called Rungan and a malicious IIS module known as Gamshen. While Rungan allows remote command execution, Gamshen manipulates search engine results for SEO fraud, harming the reputation of affected servers. Attackers gain entry through vulnerabilities like SQL injection and then deploy additional tools via PowerShell. This highlights the growing use of IIS modules for persistence, covert operations, and fraudulent activities.
GhostRedirector Threat Advisories
You are here:
  1. Home
  2. Threat Advisory
  3. GhostRedirector

Overview

GhostRedirector is a threat group that compromises Windows servers using a C++ backdoor called Rungan and a malicious IIS module known as Gamshen. While Rungan allows remote command execution, Gamshen manipulates search engine results for SEO fraud, harming the reputation of affected servers. Attackers gain entry through vulnerabilities like SQL injection and then deploy additional tools via PowerShell. This highlights the growing use of IIS modules for persistence, covert operations, and fraudulent activities.

Technical Details

  • Access Vector: Attackers exploit SQL injection flaws to gain initial foothold, often via vulnerable applications.
  • Tool Deployment: Malicious payloads (Rungan backdoor, Gamshen IIS module) delivered using PowerShell from staging servers like 868id[.]com.
  • Privilege Escalation & Persistence: Creates rogue admin accounts…..
Read Full Report Here!

Download the Report

Date

Share

Previous Reports

Voicemail-Based Remote Access Attack image

Voicemail-Based Remote Access Attack

APT28 Exploiting Microsoft Office RTF image

APT28 Exploiting Microsoft Office RTFZero-Day

macOS RCE via Google Ads Malvertising image

macOS RCE via Google Ads Malvertising