Chinese-speaking cybercrime operation UAT-8099 has targeted unsecured Internet Information Services servers across Asia, particularly in Thailand and Vietnam, as part of an attack campaign that commenced late last year, reports Cyber Security News.Initial access enabled by illicit web shell injections on vulnerable IIS servers has been leveraged by UAT-8099 to launch PowerShell scripts that run the GotoHTTP remote access tool for persistence and the eventual delivery of updated BadIIS malware variants, which have source code containing country codes for more targeted compromise, according to Cisco Talos analysts. Visiting websites impacted by the BadIIS malware results in redirections to fake gambling sites. UAT-8099 was also discovered to have leveraged the Sharp4RemoveLog, OpenArk64, and CnCrypt Protect tools for covert operations.Meanwhile, malware signatures, command-and-control infrastructure, and victim profiles in the attack campaign also had similarities with the previously reported WEBJACK operation, said researchers.
Threat Intelligence, Vulnerability Management, Patch/Configuration Management
Vulnerable Asian IIS servers subjected to UAT-8099 targeting

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



