A China-based advanced persistent cyber criminal tracked as UAT-9244 has been attacking telecommunication service providers in South America since 2024. Threat actor attacks Linux, Windows, and network-edge devices.
Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.
According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.
New malware attacking telco networks
The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).
About TernDoor
TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).
The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.
Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.
About PeerTime
PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.
Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.
About BruteEntry
Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.
The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.
