Operation UAT-9244: China-Nexus APT Targets South American Telecoms with Three Malware Implants
Executive Summary
Cisco Talos has disclosed a sophisticated campaign attributed to UAT-9244, a China-nexus Advanced Persistent Threat (APT) actor closely associated with the "Famous Sparrow" group. Since 2024, this threat actor has focused its efforts on critical telecommunications infrastructure across South America, utilizing a multi-stage infection chain involving three distinct malware implants. The campaign targets both Windows and Linux-based endpoints, as well as edge devices, utilizing techniques such as DLL side-loading, BitTorrent-based command and control (C2), and brute-force scanning.
Threat Analysis
The UAT-9244 campaign is characterized by its targeting of Tier 1 telecommunications providers. The actor employs a multi-layered approach to establish persistence and exfiltrate data. We have identified three primary components in this arsenal: TernDoor, PeerTime, and BruteEntry.
TernDoor: The Windows Backdoor
TernDoor is a Windows-based backdoor that serves as the final payload in the infection chain. Its delivery mechanism relies on DLL side-loading, a technique that allows malware to execute without being directly launched by the user.
The infection chain begins with a benign executable, wsprint[.]exe. This file acts as a dropper, loading a malicious Dynamic Link Library (DLL) named BugSplatRc64[.]dll. Once loaded into memory, this DLL reads a secondary data file, WSPrint[.]dll, decrypts its contents, and executes the payload—TernDoor. This obfuscation technique makes detection difficult for signature-based antivirus solutions, as the malicious activity is hidden behind a seemingly legitimate process.
MITRE ATT&CK Reference:
- T1055.003: Process Injection / DLL Side-Loading
PeerTime: The BitTorrent C2
Perhaps the most innovative aspect of UAT-9244's toolset is the use of "PeerTime," an ELF-based backdoor designed for Linux environments. PeerTime utilizes the BitTorrent protocol to establish and maintain its command and control (C2) channel.
By using BitTorrent, the actor effectively turns the infected host into a node in a decentralized network. This approach provides several advantages: it obscures traffic patterns, bypasses standard firewall rules that block known C2 domains, and utilizes the bandwidth of multiple infected hosts to communicate. The BitTorrent protocol is inherently peer-to-peer, making it difficult for defenders to identify a single point of failure or a specific C2 server.
BruteEntry: Operational Relay Boxes (ORBs)
The third implant, "BruteEntry," is a brute-force scanner deployed on network edge devices. This implant converts compromised routers or firewalls into Operational Relay Boxes (ORBs). These ORBs are then used to scan external networks for vulnerable services, specifically targeting SSH, PostgreSQL, and Apache Tomcat servers.
This strategy amplifies the actor's reach. By controlling edge devices, UAT-9244 can perform lateral movement and reconnaissance from within the internal network, leveraging the edge device's IP address to mask the source of the scans.
MITRE ATT&CK Reference:
- T1110: Brute Force
Indicators of Compromise (IOCs)
SecLookup's threat intelligence platform has analyzed the infrastructure associated with this campaign. The following IOCs have been identified and verified.
Malicious Domains
The following domains have been confirmed as malicious and are being actively blocked by SecLookup.
bloopencil[.]net
Infrastructure Components
The campaign relies on specific infrastructure names for initial infection and payload delivery. Monitoring for these filenames is critical for hunting operations as per Cisco Talos.
wsprint.exe
BugSplatRc64.dll
WSPrint.dll
SecLookup Detection
SecLookup is actively monitoring the threat landscape to protect our users from emerging threats like UAT-9244. Our threat intelligence platform has identified and blocked the malicious domain bloopencil[.]net associated with this campaign.
Recommendations
To defend against the UAT-9244 campaign and similar threats targeting the telecom sector, we recommend the following security measures:
Monitor for DLL Side-Loading: Implement file integrity monitoring (FIM) on critical system binaries. Alert on processes attempting to load DLLs from non-standard directories, particularly those named similarly to legitimate system processes.
BitTorrent Traffic Monitoring: While BitTorrent is a legitimate protocol, unexpected usage on internal enterprise networks can be a sign of compromise. Monitor for BitTorrent traffic on Linux endpoints and servers, especially from non-standard ports.
Harden Edge Devices: Given the use of BruteEntry to convert edge devices into scanners, ensure that edge devices are strictly segmented from the rest of the network. Enforce strong, unique passwords and consider disabling unused services on these devices.
SSH and Service Hardening: Since BruteEntry targets SSH, PostgreSQL, and Tomcat, ensure that these services are not exposed to the internet unnecessarily. Implement Multi-Factor Authentication (MFA) for all remote access and enforce key-based authentication for SSH.
Suspicious Executable Analysis: The use of
wsprint[.]exeas a dropper highlights the risk of benign-looking executables. Restrict execution permissions for unknown or unsigned executables in high-privilege environments.
References
- UAT-9244 targets South American telecommunication providers with three new malware implants by Asheer Malhotra, Cisco Talos
