Threat Intelligence, Vulnerability Management, Patch/Configuration Management

Vulnerable Asian IIS servers subjected to UAT-8099 targeting

CyberArk interviewed 373 IT security executives and other senior management in North America, Europe and the Asia-Pacific as part of its eighth annual Global Advanced Threat Landscape survey. Read more

Chinese-speaking cybercrime operation UAT-8099 has targeted unsecured Internet Information Services servers across Asia, particularly in Thailand and Vietnam, as part of an attack campaign that commenced late last year, reports Cyber Security News.

Initial access enabled by illicit web shell injections on vulnerable IIS servers has been leveraged by UAT-8099 to launch PowerShell scripts that run the GotoHTTP remote access tool for persistence and the eventual delivery of updated BadIIS malware variants, which have source code containing country codes for more targeted compromise, according to Cisco Talos analysts. Visiting websites impacted by the BadIIS malware results in redirections to fake gambling sites. UAT-8099 was also discovered to have leveraged the Sharp4RemoveLog, OpenArk64, and CnCrypt Protect tools for covert operations.

Meanwhile, malware signatures, command-and-control infrastructure, and victim profiles in the attack campaign also had similarities with the previously reported WEBJACK operation, said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds