A Chinese-speaking cybercrime group, identified as UAT-8099, has been infiltrating high-value Microsoft Internet Information Services (IIS) servers across multiple countries, including India, Thailand, Vietnam, Canada, and Brazil. Their primary objective is to conduct large-scale search engine optimization (SEO) fraud, aiming to manipulate search rankings and harvest sensitive data.
UAT-8099’s Attack Methodology
UAT-8099 meticulously selects IIS servers with strong reputations, often belonging to universities, technology firms, and telecommunications providers, to maximize the impact of their SEO fraud. Upon identifying a vulnerable server, the group exploits weak file upload configurations to plant an ASP.NET web shell, such as `server.ashx`, within the `/Html/hw/` directory. This initial foothold allows them to execute reconnaissance commands to gather system information.
Following reconnaissance, UAT-8099 automates user creation and privilege escalation by executing specific commands to create new user accounts and grant administrative privileges. They then enable Remote Desktop Protocol (RDP) access on dynamically discovered listening ports. To maintain persistent access, the group deploys tools like SoftEther VPN, EasyTier decentralized VPN, and FRP reverse proxy, along with a hidden admin$ account for long-term remote access.
SEO Fraud Mechanisms
Once administrative access is secured, UAT-8099 installs BadIIS malware modules that hook into IIS server handlers. In proxy mode, the module decodes a hex-encoded command-and-control (C2) address and forwards requests to secondary C2 servers, using the native WriteEntityChunks API to craft valid HTTP responses. In injector mode, BadIIS intercepts users’ browser requests from Google search results, retrieves JavaScript payloads like `jump.html` or `pg888.js` from C2 servers, and embeds them into HTML responses to redirect victims to illegal gambling or advertisement sites.
The SEO fraud mode specifically targets requests where the User-Agent equals Googlebot and the Referer contains google.com, serving backlink-heavy HTML content to manipulate search ranking algorithms. Common URL path patterns include keywords such as casino, gambling, betting, and deposit. Multiple BadIIS variants have been identified, some with extremely low detection rates and others featuring simplified Chinese debug strings, indicating the group’s continuous evolution.
Indicators of Compromise
Indicators of compromise include specific web shell file paths, C2 URLs, and batch scripts (e.g., `iis.bat`, `fuck.bat`, `1.bat`). Organizations running IIS should immediately audit file upload settings, enforce strict RDP policies, and deploy endpoint and network protections to detect and block BadIIS behaviors and related RDP misuse.
