Suppose you are visiting one of your favorite websites, maybe a university or a telecom company. Everything seems to be working, but in the background, hackers are collecting data and using that same website for their fraudulent pages. That's exactly what UAT-8099 is doing right now.
After gaining access, UAT-8099 takes advantage of those servers to:
• extract sensitive data such as passwords, certificates, and configuration files
• use SEO fraud to boost the visibility of gambling scams or other scam sites
• use obfuscation so users do not see anything is unusual
They are essentially taking reputable websites and using them for online fraud and data exfiltration.
2. They will upload a web shell (a file to execute commands) to get the system.
3. Then they will install an IIS implant called BadIIS.
4. BadIIS will manipulate the way information is displayed depending on who is visiting:
• Steal login info and certificates,
• Copy crucial system files,
• Move further into the network.
Since the website will otherwise continue to work as usual, owners typically fail to see early warning signs and then the attack becomes much more serious.
• It targets trusted websites making the scam more believable,
• It hides in of all the user activity the redirect is only seen by a few specific users.
Security experts say its behavior is similar to other groups, like GhostRedirector and Dragonfly, but UAT-8099 is more aggressive and sneaky.
What is UAT-8099?
UAT-8099 is a group of hackers targeting Microsoft IIS web servers that are exposed to the internet. They specifically target universities, technology, and telecommunications.After gaining access, UAT-8099 takes advantage of those servers to:
• extract sensitive data such as passwords, certificates, and configuration files
• use SEO fraud to boost the visibility of gambling scams or other scam sites
• use obfuscation so users do not see anything is unusual
They are essentially taking reputable websites and using them for online fraud and data exfiltration.
How They Get It Done
1. Hackers will find a site that has a weak security posture, which is usually a site that will allow file uploads.2. They will upload a web shell (a file to execute commands) to get the system.
3. Then they will install an IIS implant called BadIIS.
4. BadIIS will manipulate the way information is displayed depending on who is visiting:
- Search engines will see fake keywords such as 'bet,' 'cash,' or even 'casino' as a way to trick Google's ranking.
- Ordinary users will see nothing strange.
- Users searching for gambling-related content will get sent to a fraudulent and possibly illegal site.
Why is this Significant?
Because it is quiet and clever. Many website owners may not even be aware that they have been hacked. UAT-8099 also drops tools like Cobalt Strike, which allows hackers to:• Steal login info and certificates,
• Copy crucial system files,
• Move further into the network.
Since the website will otherwise continue to work as usual, owners typically fail to see early warning signs and then the attack becomes much more serious.
What Makes UAT-8099 Unique?
• It combines data breaches with SEO fraud into a single attack,• It targets trusted websites making the scam more believable,
• It hides in of all the user activity the redirect is only seen by a few specific users.
Security experts say its behavior is similar to other groups, like GhostRedirector and Dragonfly, but UAT-8099 is more aggressive and sneaky.
