UAT-8099’s Targeted Assault on IIS Servers: Unveiling the Region-Specific BadIIS Malware Campaign
A sophisticated cyber campaign has emerged, targeting Microsoft Internet Information Services (IIS) servers across Asia. The threat actor, identified as UAT-8099, has been actively compromising vulnerable systems in Thailand and Vietnam from late 2025 through early 2026. This operation signifies a strategic shift towards region-specific attacks, utilizing advanced malware to infiltrate and control unpatched IIS servers.
Exploitation Tactics and Initial Access
UAT-8099 exploits unpatched vulnerabilities in IIS servers to gain initial access. The attackers deploy malicious web shells, which serve as backdoors, allowing remote command execution on the compromised servers. This initial foothold is crucial for the subsequent stages of the attack.
Deployment of PowerShell Scripts and Remote Access Tools
Following successful infiltration, the attackers execute PowerShell scripts to download and install the GotoHTTP remote access tool. This tool provides persistent control over the infected systems, enabling the threat actors to maintain long-term access while evading detection by leveraging legitimate administrative utilities.
Introduction of Region-Specific BadIIS Malware
A notable aspect of this campaign is the deployment of the BadIIS malware, now customized with hardcoded regional configurations tailored to specific countries. Analysts from Cisco Talos observed that these BadIIS variants embed country codes directly into their source code, creating specialized versions for Vietnam (denoted by VN tags) and Thailand (marked with TH designations). These customized variants include region-specific file extensions, dynamic page configurations, and localized HTML templates designed to facilitate search engine optimization (SEO) fraud targeting specific language preferences.
Operational Overlap with Previous Campaigns
The current campaign demonstrates operational similarities with the previously documented WEBJACK operation. Shared indicators include malware signatures, command and control infrastructure, and targeted victim profiles, suggesting a possible connection or evolution in tactics.
Mechanisms for Persistence and Concealment
To maintain persistent control over compromised servers, UAT-8099 creates hidden user accounts with administrative privileges. Initially, the attackers used an account named admin$, but after security products began detecting this pattern, they shifted to alternative names such as mysql$, admin1$, admin2$, and power$. These accounts are utilized to deploy updated versions of the BadIIS malware to specific regional directories, such as C:/Users/mssql$/Desktop/VN/ for Vietnam-targeted operations and C:/Users/mssql$/Desktop/newth/ for Thailand-focused attacks.
Anti-Forensic Techniques
To evade detection and forensic analysis, the threat actors deploy several anti-forensic tools:
– Sharp4RemoveLog: Erases Windows event logs to eliminate traces of their activities.
– CnCrypt Protect: Conceals malicious files, making them harder to detect.
– OpenArk64: Terminates security processes at the kernel level, further ensuring their operations remain undetected for extended periods.
Implications and Recommendations
The evolution of the BadIIS malware to include region-specific configurations indicates a more targeted and sophisticated approach by UAT-8099. By filtering web traffic based on the Accept-Language header, the malware verifies the visitor’s region before delivering malicious payloads. When search engine crawlers visit infected sites, they are redirected to fraudulent gambling websites, while regular users receive injected JavaScript that silently redirects their browsers to malicious destinations.
Organizations operating IIS servers, particularly in the targeted regions, should take immediate action to mitigate these threats:
1. Patch Management: Ensure all IIS servers are updated with the latest security patches to close known vulnerabilities.
2. Access Controls: Regularly audit user accounts and permissions to detect and remove unauthorized accounts.
3. Monitoring and Logging: Implement comprehensive monitoring to detect unusual activities and maintain secure logs to aid in forensic investigations.
4. Security Tools: Deploy advanced security solutions capable of detecting and preventing the execution of unauthorized scripts and tools.
By adopting these measures, organizations can enhance their defenses against the sophisticated tactics employed by UAT-8099 and similar threat actors.
