Source URL: https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/
Source: Cisco Talos Blog
Title: UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
Feedly Summary: Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data.
AI Summary and Description: Yes
**Summary:**
The provided text outlines a detailed analysis of a cybercrime group named UAT-8099, which is primarily engaged in SEO fraud and credential theft, using sophisticated tactics such as web shell installations, automation scripts, and various malware, including a variant labeled BadIIS. This report is crucial for security professionals as it showcases the evolving tactics of cybercriminals and emphasizes the importance of securing Infrastructure and implementing proactive defense mechanisms.
**Detailed Description:**
The report highlights the activities of UAT-8099, a cybercrime group leveraging advanced techniques to manipulate search engine rankings and steal valuable information. It follows their attack chain and the tools they utilize, providing valuable insights for security and compliance professionals.
– **Attack Methodology:**
– UAT-8099 targets Internet Information Services (IIS) servers in various countries, including India, Thailand, Vietnam, Canada, and Brazil.
– The group manipulates search rankings by compromising reputable IIS servers to redirect users to malicious websites (e.g., unauthorized advertisements or illegal gambling sites).
– Utilizes tools like Cobalt Strike for access and automation scripts specifically designed to evade detection.
– **Persistence and Privilege Escalation:**
– The report illustrates how the group maintains access by using Remote Desktop Protocol (RDP) to exploit IIS servers and activate guest accounts to gain admin privileges.
– Demonstrates risk from configuration errors, such as allowing unrestricted file uploads, facilitating the upload of web shells.
– **BadIIS Malware:**
– New variants of BadIIS malware have been identified, demonstrating alterations aimed at circumventing antivirus detection.
– The malware employs handlers that rely on HTTP header analysis to trigger SEO fraud, ensuring the delivery of malicious content based on user-agent verification.
– **Automation and Tools:**
– UAT-8099 uses batch scripts to automate attack processes and set up persistent backdoors on the infected servers.
– Introduction of Cobalt Strike backdoors via DLL sideloading showcases the sophistication of the group’s methods.
– **SEO Fraud Techniques:**
– The BadIIS malware is designed to engage in extensive backlinking strategies to manipulate search engine rankings, which could result in disruptions to organizations’ online visibility.
– The report further elaborates on the consequences of these activities for victims, including loss of reputation and financial damage.
– **Security and Detection:**
– Recommendations are made on how organizations can detect and block the activities associated with UAT-8099 using Cisco’s security products.
– Highlights specific products such as Cisco Secure Endpoint and Cisco Secure Firewall as effective tools against these threats.
– **Indicators of Compromise (IOCs):**
– The report includes specific IOCs related to the malicious activities of UAT-8099, which can be crucial for security teams in recognizing and mitigating these threats.
This comprehensive analysis serves as a crucial resource for professionals involved in security, compliance, and risk management, emphasizing the need for vigilant network monitoring and robust defense strategies against highly organized cybercriminal groups.