China-Nexus APT UAT-9244 Targets Telecommunications Infrastructure
TL;DR
Cisco Talos has identified UAT-9244, a China-aligned advanced persistent threat actor, actively targeting critical telecommunications infrastructure in South America. This actor employs multiple malware implants, including a DLL-based loader and two backdoors, TernDoor and PeerTime, to facilitate its cyber operations.
Main Analysis
UAT-9244 has been linked to a sophisticated campaign aimed at infiltrating networks within critical telecommunications sectors in South America since 2024. Talos has high confidence that UAT-9244 overlaps with another APT group known as Famous Sparrow. The actor employs three notable malware implants to penetrate and maintain persistence in targeted systems: TernDoor, PeerTime, and BruteEntry, each with distinct functionalities.
TernDoor, a variant of the previously known CrowDoor backdoor, utilizes a DLL side-loading technique for its execution. The payload is activated via a benign executable, which loads a malicious DLL that further decodes and executes the final TernDoor implant. This backdoor enables remote command execution, file management, and system information collection. Additionally, TernDoor establishes persistence through scheduled tasks or registry modifications to ensure reactivation upon system restarts.
PeerTime, an ELF-based backdoor, is designed for a variety of architectures, including ARM and MIPS, making it suitable for a multitude of embedded systems. It utilizes the BitTorrent protocol for its operations, which allows it to covertly download additional payloads and exfiltrate data. Talos discovered that PeerTime can adapt its process names to evade detection, highlighting its versatility as a tool for cyber espionage.
BruteEntry, the third malware implant, is specifically engineered to turn compromised devices into operational relay boxes, scanning various services like SSH and Tomcat servers for vulnerabilities. This tool is critical in UAT-9244’s operation, leveraging operational relay boxes to extend its reach across targeted networks.
Defensive Context
Organizations in the telecommunications sector are particularly affected by UAT-9244’s activities, given its targeted approach to infrastructure that supports national and international communications. Entities operating critical services must remain vigilant against these advanced tactics, as the potential risks include unauthorized access to sensitive data and disruptions in service.
While higher-risk environments should prioritize monitoring for the behavioral indicators associated with these implants, organizations outside the telecommunications realm might consider this less immediately relevant unless they provide services or support critical infrastructure.
Why This Matters
Telecommunications providers are at elevated risk due to their central role in global communication systems. The capability of UAT-9244 to exploit and maintain access across multiple operating systems heightens the threat of a significant breach or disruption of critical services.
Defender Considerations
Defenders should focus on recognizing the execution patterns associated with TernDoor and the behavior of PeerTime in their environments. Investigating any unusual registry activity or scheduled tasks, such as those involving the WSPrint executable, could unveil potential infections. Additionally, organizations should examine their defenses against BruteEntry tactics, particularly in network edge devices.
Indicators of Compromise (IOCs)
- TernDoor C2 IPs:
- 154.205.154.82:443
- 207.148.121.95:443
- 212.11.64.105
- BruteEntry Infrastructure:
- 212.11.64.105
- 185.196.10.247
- Malware Hashes:
- TernDoor Loader DLL: 711d9427ee43bc2186b9124f31cba2db5f54ec9a0d56dc2948e1a4377bada289
- PeerTime Instrumentor Binary: c9fc2af30f769d856b88b3051f19fdb663b3e0a0916279df9bbcba93c6a110c9
