A China-linked advanced persistent threat (APT) actor has targeted critical telecommunications infrastructure in South America since 2024, focusing on Windows systems, Linux environments, and network edge devices with three different implants.
Meanwhile, researchers at Cisco Talos track this activity under the moniker UAT-9244 and describe the cluster as closely associated with another threat group known as FamousSparrow.
Notably, analysts assess that FamousSparrow shares tactical overlaps with Salt Typhoon, a China-nexus espionage group known for targeting telecommunication service providers. However, despite the similar targeting footprint between UAT-9244 and Salt Typhoon, researchers have found no conclusive evidence linking the two clusters.
Furthermore, during the campaign analysis, the cybersecurity company identified three previously undocumented implants distributed through the attack chains: TernDoor targeting Windows, PeerTime (aka angrypeer) targeting Linux, and BruteEntry, which operators install on network edge devices.
Although researchers have not identified the exact initial access method used in these attacks, evidence shows that the adversary previously targeted systems running outdated versions of Windows Server and Microsoft Exchange Server. In those incidents, the attackers deployed web shells to enable follow-on malicious activity.
TernDoor: Windows Backdoor Delivered via DLL Side-Loading
First, operators deploy TernDoor through DLL side-loading, leveraging the legitimate executable “wsprint.exe” to launch a malicious DLL (“BugSplatRc64.dll”). This DLL decrypts and executes the final payload directly in memory.
Researchers classify TernDoor as a variant of Crowdoor, which itself derives from SparrowDoor. According to findings, UAT-9244 has used this backdoor since at least November 2024.
To maintain access, the malware establishes persistence on the host using either a scheduled task or the Windows Registry Run key. Additionally, it differs from CrowDoor by using a different set of command codes and embedding a Windows driver that suspends, resumes, and terminates processes.
Furthermore, the malware supports only one command-line switch (“-u”), which uninstalls the backdoor and deletes all associated artifacts from the host.
Once launched, the malware checks whether it has been injected into “msiexec.exe.” After confirmation, it decodes a configuration to extract command-and-control (C2) parameters.
Subsequently, it communicates with the C2 server, enabling attackers to:
- Create processes
- Execute arbitrary commands
- Read and write files
- Collect system information
- Deploy a driver to hide malicious components and manage processes
PeerTime: Linux Peer-to-Peer Backdoor
Further analysis of the UAT-9244 infrastructure led researchers to discover a Linux peer-to-peer (P2P) backdoor called PeerTime. Attackers compiled the malware for multiple architectures, including ARM, AARCH, PPC, and MIPS, allowing it to infect a wide range of embedded systems.
Operators deploy the ELF backdoor, together with an instrumentor binary, through a shell script.
“The instrumentor ELF binary will check for the presence of Docker on the compromised host using the commands docker and docker –q,” Talos researchers Asheer Malhotra and Brandon White said. “If Docker is found, then the PeerTime loader is executed. The instrumentor consists of debug strings in Simplified Chinese, indicating that it is a custom binary created and deployed by Chinese-speaking threat actors.”
The loader’s primary objective involves decrypting and decompressing the final PeerTime payload and executing it directly in memory.
Researchers identified two PeerTime variants:
- A version written in C/C++
- A newer variant developed in Rust
Additionally, the backdoor can rename itself as a legitimate process to evade detection. It also leverages the BitTorrent protocol to:
- Retrieve C2 configuration
- Download files from peers
- Execute payloads on compromised systems
BruteEntry: Edge Devices Turned Into ORB Scanning Nodes
Researchers also discovered shell scripts and payloads staged on the threat actor’s servers. Among them, a brute-force scanner named BruteEntry targets edge devices, transforming them into mass-scanning proxy nodes within an Operational Relay Box (ORB).
This infrastructure allows attackers to perform brute-force attacks against services such as:
- Postgres
- SSH
- Tomcat servers
Attackers execute this process through a shell script that deploys two Golang-based components:
- An orchestrator, which delivers BruteEntry
- The BruteEntry payload, which contacts a C2 server to retrieve a list of target IP addresses
The malware then launches automated brute-force attempts against those systems. Finally, the backdoor reports successful login attempts back to the C2 infrastructure.
“‘Success’ indicates if the brute force was successful (true or false), and ‘notes’ provides specific information on whether the brute force was successful,” Talos said. “If the login failed, the note reads ‘All credentials tried.'”
Source: TheHackerNews
Read more at Impreza News
