Full Report
Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data.
Analysis Summary
# Threat Actor: UAT-8099
## Attribution & Identity
Threat actor tracked as **UAT-8099**. They are identified as a **Chinese-speaking cybercrime group**.
## Activity Summary
UAT-8099 is primarily involved in **Search Engine Optimization (SEO) fraud** for financial gain, leveraging compromised high-value Internet Information Services (IIS) servers. They also engage in the **theft of high-value credentials, configuration files, and sensitive certificate data** from compromised systems, likely for resale or further exploitation. Their primary method involves manipulating search engine rankings by compromising reputable IIS servers in targeted regions. Compromised servers redirect users (often mobile users) to unauthorized advertisements or illegal gambling websites.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting weak file upload features on web servers that do not restrict file types to upload a web shell (specifically noted use of the open-source **ASP.NET Web BackDoor**).
- **Reconnaissance:** Executing commands like `ipconfig`, `whoami`, `arp`, and `tasklist` via the dropped web shell to collect system and network information.
- **Persistence & Access:**
- Enabling the **guest account** and elevating its privileges to administrator level.
- Establishing remote access via **Remote Desktop Protocol (RDP)**.
- Combining RDP access with tools like **SoftEther VPN** and **EasyTier** (a decentralized VPN tool) and **FRP** (a reverse proxy tool) for persistent access.
- **Privilege Escalation:** Utilizing shared hacking tools to gain system-level permissions.
- **Defense Evasion:** Deploying defense mechanisms to prevent other threat actors from gaining access to the already compromised server.
- **Command and Control/Automation:** Using automation scripts customized to evade defenses and hide activity.
## Targeting
- **Sectors:** Universities, technology firms, and telecommunications providers (identified via their IIS servers).
- **Geography:** Affected IIS servers were found in **India, Thailand, Vietnam, Canada, and Brazil**.
- **Victims:** Organizations operating high-value, reputable IIS servers in the aforementioned regions. The final victims of the redirection/fraud appear to heavily involve **mobile users** (Android and iOS devices).
## Tools & Infrastructure
- **Malware families used:** **BadIIS** malware (multiple new samples observed), **Cobalt Strike**.
- **Webshells:** Open-source **ASP.NET Web BackDoor**.
- **Legitimate/Shared Tools:** **Cobalt Strike**, **SoftEther VPN**, **EasyTier**, **FRP** reverse proxy tool, and general open-source hacking tools.
- **Infrastructure:** The primary infrastructure exploited is victim-owned **IIS servers**. The redirection points to illegal gambling websites, some observed in Thai, Portuguese, and English.
## Implications
UAT-8099 poses a direct financial threat via SEO fraud. Their activity can damage the reputation of compromised high-value organizations (like universities/telcos) by using their legitimate web infrastructure to host illicit content. The focus on retrieving credentials and certificates indicates a secondary intent for further compromise or data monetisation beyond the immediate SEO fraud scheme.
## Mitigations
- Secure file upload features on web servers to ensure file types are strictly restricted.
- Regularly audit and restrict the creation and privilege levels of guest accounts.
- Review RDP configurations and actively monitor for RDP initiation from unexpected or unauthorized processes.
- Harden IIS servers, especially against known attack vectors used for web shell deployment.
- Deploy network monitoring solutions (like Cisco SecureX/Stealthwatch) to detect potentially unwanted activity and lateral movement (e.g., RDP connections, VPN tool usage).