GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

Description

ESET researchers have identified a new threat actor named GhostRedirector that has compromised at least 65 Windows servers, primarily in Brazil, Thailand, and Vietnam. The actor utilizes two previously undocumented tools: a passive C++ backdoor called Rungan and a malicious Internet Information Services (IIS) module named Gamshen. While Rungan can execute commands on compromised servers, Gamshen's purpose is to manipulate search engine results, boosting the page ranking of configured target websites. The attacks appear to be opportunistic rather than targeting specific entities. GhostRedirector also employs public exploits like EfsPotato and BadPotato for privilege escalation. Based on various factors, including the use of Chinese strings and a Chinese code-signing certificate, ESET believes with medium confidence that GhostRedirector is a China-aligned threat actor.