A Chinese-speaking cybercrime group, designated as UAT-8099, has been implicated in orchestrating a sophisticated campaign involving search engine optimization (SEO) fraud and the exfiltration of sensitive data. This operation primarily targets Microsoft Internet Information Services (IIS) servers across various countries, including India, Thailand, Vietnam, Canada, and Brazil. The affected entities span a range of sectors, notably universities, technology firms, and telecommunications providers.
Discovery and Initial Findings
The activities of UAT-8099 came to light in April 2025. The group’s modus operandi involves compromising IIS servers to manipulate search engine rankings and harvest high-value credentials, configuration files, and certificate data. The primary victims are mobile users operating on both Android and Apple iOS platforms.
Tactics and Techniques
UAT-8099 employs a multifaceted approach to achieve its objectives:
1. Initial Compromise: The group identifies vulnerable IIS servers through unpatched security flaws or misconfigured file upload functionalities. Upon gaining access, they deploy web shells to perform reconnaissance and collect system information.
2. Privilege Escalation: By activating the guest account, the attackers escalate their privileges to administrator levels, enabling Remote Desktop Protocol (RDP) access.
3. Persistence Mechanisms: To maintain control over the compromised servers, UAT-8099 utilizes RDP in conjunction with VPN tools such as SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP).
4. Deployment of BadIIS Malware: The group installs a variant of the BadIIS malware, which has been modified to evade detection by antivirus software. This malware operates in three distinct modes:
– Proxy Mode: Extracts an embedded command-and-control (C2) server address to act as a proxy, retrieving content from a secondary C2 server.
– Injector Mode: Intercepts browser requests originating from Google search results, connects to the C2 server to fetch JavaScript code, embeds this code into the HTML response, and redirects the victim to a specified destination.
– Redirector Mode: Directly redirects incoming requests to a predetermined URL.
SEO Manipulation and Data Exfiltration
The BadIIS malware’s SEO manipulation component activates exclusively when the request originates from Google, identified by the User-Agent Googlebot. This strategy ensures that the malicious activities remain concealed from regular users while effectively altering search engine rankings.
In addition to SEO fraud, UAT-8099 searches for valuable data within the compromised servers using a graphical user interface (GUI) tool named Everything. The harvested data is then packaged for resale or further exploitation.
Broader Context and Implications
UAT-8099 is not an isolated case. Other Chinese-linked actors have engaged in similar SEO fraud activities for financial gain. For instance, a threat actor known as GhostRedirector compromised at least 65 Windows servers in countries like Brazil, Thailand, and Vietnam using a malicious IIS module named Gamshen to facilitate SEO fraud.
The emergence of groups like UAT-8099 underscores the evolving landscape of cyber threats, where financially motivated actors employ advanced techniques to exploit server vulnerabilities, manipulate search engine results, and steal sensitive information.
Mitigation Strategies
Organizations can adopt several measures to defend against such threats:
– Regular Patching: Ensure that all servers, especially IIS servers, are updated with the latest security patches to mitigate known vulnerabilities.
– Configuration Audits: Regularly review and secure server configurations to prevent unauthorized access through misconfigured settings.
– Monitoring and Detection: Implement robust monitoring systems to detect unusual activities, such as unauthorized privilege escalations or the deployment of web shells.
– Access Controls: Restrict RDP and VPN access to trusted users and employ multi-factor authentication to enhance security.
– User Education: Train staff to recognize phishing attempts and other social engineering tactics that could lead to initial compromises.
By adopting these strategies, organizations can bolster their defenses against sophisticated cybercrime groups like UAT-8099 and protect their digital assets from exploitation.
