RANSOMWARE GhostRedirector CTI Report

CTI REPORT - GhostRedirector

GhostRedirector is a group of malicious operators active since mid-2024, primarily observed between December 2024 and June 2025.

Their objective is to compromise Internet-exposed Windows servers in order to install customized backdoors and fraudulent IIS modules, with a dual purpose:

1. Maintain persistent and complete access to the victim’s infrastructure.
2. Exploit the compromised servers for SEO Poisoning campaigns (poisoning Google search results, fraudulent redirects).

GhostRedirector has already compromised at least 65 servers, mainly in Brazil, Vietnam, and Thailand, but also in North America, Peru, and Europe.

The affected sectors are varied (healthcare, insurance, transportation, technology, retail, education), with no preferred target sector.

Ghost Redirector is associated with the use of novel tools, including:

1. Rungan: a passive C++ backdoor that allows command execution, account creation, and service management.
2. Gamshen: a malicious IIS module that intercepts Googlebot requests to inject SEO content or redirect to the C2 infrastructure.
3. Zunput: a tool for inventorying and deploying webshells.

ATTACK CHAIN - GhostRedirector

Initial access

1. Observed vector: exploitation of exposed web applications (probable SQL injection).
2. Specific mechanism: execution of system commands via Microsoft SQL Server’s xp_cmdshell procedure when enabled.
3. Documented actions: execution of SQL commands that invoke PowerShell to retrieve utilities/payloads from staging servers (e.g., subdomains of 868id[.]com).

Note: ESET documented PowerShell calls launched from sqlserver.exe via xp_cmdshell.

Example commands executed on a compromised server:

Post-exploitation & Privilege Escalation

1. Objective: obtain elevated privileges (SYSTEM / Administrators).
2. Documented tools/methods: homemade executables exploiting EfsPotato and BadPotato (e.g., EfsNetAutoUser.exe, NetAutoUser.exe, DotNet4.5.exe) to create or elevate accounts.
3. Additional observed tools: auto.exe, auto_sign.exe — automating the creation/establishment of administrator accounts.
4. Note: Several samples are packed/obfuscated and identified as AddUser/HackTool by AV vendors.

Reconnaissance

1. GhostRedirector deploys its internal tool Zunput, designed to inventory the compromised server’s IIS environment.
2. Zunput collects information on:

- active websites,

- their physical paths,

- configured bindings,

- the protocols used.

Example of a log.txt file generated by Zunput:

• This mapping allows attackers to precisely target where to deposit webshells, assess the value of the infrastructure, and plan subsequent steps.

Defense Evasion

1. The attackers apply software obfuscation to their tools by protecting them with .NET Reactor, complicating analysis by researchers and detection by security solutions.
2. The malicious module Gamshen, installed as an IIS extension, adopts a stealthy and conditional behavior:

- It only modifies content when the request originates from Googlebot (or when a Referer comes from Google Search).

- For human visitors or administrators, the infected site displays normally, significantly reducing the chance of detection.

1. This mechanism conceals the compromise while maximizing the effectiveness of SEO poisoning campaigns.

Execution

1. Once the intrusion is consolidated, GhostRedirector deploys several malicious components:

- Rungan: a C++ backdoor that allows attackers to execute commands, manage services, manipulate files, and open remote shells.

- Gamshen: an IIS module that dynamically alters HTTP responses sent to Google crawlers to inject fraudulent backlinks or redirect traffic to the attackers’ infrastructure.

- GoToHTTP / link.exe: a remote access/relay tool.

1. The attackers also use PowerShell and LOLBins such as certutil.exe to deploy and execute their payloads from C2 servers.
2. These actions enable them to gain active and persistent control over the compromised servers.

Data Exfiltration

1. Unlike a group oriented toward double extortion, GhostRedirector does not appear to target massive exfiltration.
2. However, the deployed backdoors and webshells (Rungan, Zunput) do provide the ability to retrieve sensitive files, system configurations, or credentials on demand.
3. Exfiltration remains targeted and opportunistic, with the primary objective being the exploitation of the servers as fraudulent platforms rather than the theft of strategic data.

Persistence

1. To maintain long-term access, GhostRedirector implements several persistence mechanisms:

- The Rungan backdoor is installed as a system DLL, automatically relaunched after a restart.

- The Gamshen module is persistently integrated into IIS, loaded with every web request processed by w3wp.exe.

- Creation of “fallback” administrator accounts to restore access in the event of cleanup.

- Deposition of components in known system locations that are restarted after reboot.

Lateral Movement

Although not GhostRedirector’s primary focus, some evidence suggests the group possesses lateral movement capabilities:

- The Rungan backdoor allows remote command execution and could be used to pivot to other internal systems.

- Standard tools such as PsExec or SMB shares could be employed, highlighting the campaign’s danger.

Final Impact

The final impact is reflected in:

- Massive SEO poisoning: inserting fraudulent links into Google search results to artificially boost malicious sites,

- Redirecting legitimate visitors to domains controlled by the attackers, used for fraud, phishing, or ad monetization,

- Damaging the online reputation of compromised companies, with risks of SEO degradation and loss of trust.

Diagram of SEO Poisoning

MITRE ATT&CK - GhostRedirector

Certain attack tactics and techniques recur during a GhostRedirector assault.

INDICATORS OF COMPROMISE

IOCs - GhostRedirector

DETECTION OF THE ATTACK – GhostRedirector

As detailed above, the GhostRedirector attack chain consists of several phases.

For each phase, here are indicators that will help SOC teams detect suspicious or anomalous behavior associated with GhostRedirector.

PREVENTION & HARDENING - GhostRedirect

1. Hardening Best Practices

Patching and Vulnerability Management:

1. Prioritize remediation of application vulnerabilities and remote execution flaws in exposed web applications (fix vectors that allow SQL injection or command execution through the database engine).
2. Review third-party components hosted on IIS and apply available patches/updates.

Reducing the SQL Server Attack Surface:

1. Disable xp_cmdshell if not strictly necessary. If its use is required, restrict access to this component and audit its usage.
2. Restrict accounts that access the database (principle of least privilege).

Hardening PowerShell / LOLBins:

1. Restrict execution of PowerShell scripts (Constrained Language Mode) and enable full transcription/logging (PowerShell logs).
2. Control and limit the use of LOLBins (certutil, mshta, rundll32…) via application control (Application Whitelisting) and approved execution lists.
3. Block suspicious commands launched by unexpected processes (e.g. sqlserver.exe launching powershell.exe).

Hardening IIS & Native Module Control:

1. Monitor the list of native modules loaded by IIS; block the loading of unapproved DLLs in directories used by the web server.
2. Restrict permissions on IIS directories and monitor file additions/modifications (FIM).
3. Implement WAF rules to filter SQL injection attempts and suspicious uploads.

Account and Privilege Management:

1. Implement integrity controls and alerts on the creation/modification of local accounts/Administrators group members (alert on Event ID 4720/4722/4732, etc.).
2. Apply the principle of least privilege for service accounts and remove unused accounts.

C2 Prevention & Egress Filtering:

1. Implement egress filtering (authenticated proxy/domain filtering) to detect and block connections to known domains and IPs (*.868id.com, www.cs01.shop, etc.).
2. Block/alert on unusual connections to domains hosted behind reverse proxies (e.g., Cloudflare) when the destination is suspicious.

Application Control & Signatures:

1. Prevent the execution of unapproved binaries on web servers (whitelisting policy).
2. Monitor the use and arrival of packed/obfuscated samples (.NET packed, executables signed from dubious sources) and control the signature chain (certificates).

Webshell Detection / File Integrity:

1. Deploy FIM controls on IIS directories (detection of new .asp/.aspx/.php files, suspicious modifications).
2. Regularly scan websites for known webshells and obfuscation/encoding patterns.

Network Segmentation:

1. Segment access between application/DB servers and limit administrative access to controlled bastions.
2. Isolate publicly exposed servers from sensitive internal environments.

DLP & Transfer Monitoring:

1. Implement monitoring of significant outbound transfers (proxy/IDS/IPS) to detect unusual file transfers or connections to anonymous storage services should they occur.

2. Change Management

1. Hunting Queries: Some queries can be implemented in SOC tools to proactively detect traces of a GhostRedirector attack. Here are a few examples:

Note: These queries should be adapted based on the tools and environment.

1. Threat Intelligence Integration: Import GhostRedirector IoCs (hashes, IPs, domains, etc.) into the various deployed detection solutions (SIEM, EDR, XDR, IDS/IPS, Firewall, etc.).

3. Immediate Response

1. Rapid Isolation: Isolate compromised hosts (network quarantine) especially if w3wp.exe loads a suspicious module or if sqlserver.exe executes PowerShell.
2. Forensic Collection: Capture Sysmon logs, Event Logs (Security, System, Application), IIS logs, LSASS memory dump if necessary, and copies of suspicious DLLs/files (miniscreen.dll, ManagedEngine*_v2.dll, SitePut.exe…).
3. Identification & Eradication: Remove identified webshells, disable/delete malicious IIS modules, and remove maliciously created admin accounts.
4. Complete Remediation: Consider rebuilding the server if its integrity is compromised (especially if a native IIS-loaded DLL is involved).
5. Credential Rotation: Change passwords and keys associated with affected accounts and revoke exposed tokens/credentials.
6. Blocking & Containment: Block known C2 domains/IPs at the proxy/firewall level and remove unnecessary external access.
7. Reporting & Threat Intelligence: Import the IoCs into protection systems (EDR/SIEM/IDS) and share findings with the internal TI/CERT team.

KNOWN TARGETS & VICTIMS - GhostRedirector

1. At present, no specific victim has been publicly identified. Researchers estimate that approximately 65 Windows servers have been compromised worldwide. The majority of cases have been observed in Brazil, Thailand, and Vietnam, with additional incidents in the United States, Peru, and Europe.
2. Affected sectors are varied (insurance, healthcare, transportation, information technology, retail, education), suggesting that GhostRedirector does not target a specific industry but rather exploits technical vulnerabilities.
3. The most vulnerable assets are Internet-exposed IIS servers and poorly secured SQL Server instances, particularly when the xp_cmdshell functionality is enabled. IIS directories are also a prime target for deploying webshells and malicious IIS modules such as Gamshen.
4. While no compromise has been documented in France, the threat remains relevant: the same technical configurations (exposed IIS, SQL Server, insufficient hardening) are widespread within the French economy. A proactive stance (IoC monitoring, IIS/SQL audits, behavioral detection) is therefore essential to anticipate this type of threat, whose primary impact lies in SEO poisoning and reputational damage to compromised organizations.

REFERENCES - GhostRedirector

1. Comprehensive Technical Analysis of the GhostRedirect Campaign (ESET): https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/
2. GhostRedirector IoCs:

https://github.com/eset/malware-ioc/tree/master/GhostRedirector

MOVE ON TO THE NEXT STEP IN CYBERSECURITY

Contact us today to learn how NEVERHACK can monitor and strengthen your security posture, protect your critical assets, and support your daily cyber vigilance.

SALES TEAM

Salah ROMDHANE - Sales Director / sromdhane@neverhack.com

Eduardo NICOLAY - Sales Account Manager / enicolay@neverhack.com

Carole NIDDAM - Sales Director / cniddam@neverhack.com

Celia BENHAJ - Sales Account Manager / cbenhaj@neverhack.com