A China-affiliated threat actor known as UAT-7290 is believed to be conducting espionage-based infiltrations against organizations in South Asia and Southeast Europe.
According to a Cisco Talos report published today, this activity cluster has been active since at least 2022 and primarily focuses on extensive technical reconnaissance of target organizations before launching attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid.
Researchers Asheer Malhotra, Vitor Ventura, and Brandon White said, “In addition to UAT-7290 burrowing deep into victim companies’ network infrastructure and conducting espionage-focused attacks, its tactics, techniques, procedures (TTPs) and tools suggest that the attacker also established Operational Relay Box (ORB) nodes.”
“The ORB infrastructure could then be used for malicious operations by other Chinese-aligned actors. This means that UAT-7290 is playing a dual role not only as a threat actor for espionage purposes, but also as an initial access group.”
Attacks by adversaries primarily target telecommunications providers in South Asia. However, a recent wave of intrusions has spread to attack organizations in Southeastern Europe.
UAT-7290’s sophistication is diverse and relies on a combination of open source malware, custom tools, and payloads for one-day vulnerabilities in popular edge networking products. Notable Windows implants used by threat actors include RedLeaves (also known as BUGJUICE) and ShadowPad. Both of these are exclusively associated with Chinese hacker groups.
That said, the group primarily relies on Linux-based malware suites, including:
RushDrop (also known as ChronosRAT), a dropper that initiates the infection chain DriveSwitch, a peripheral malware used to run SilentRaid on infected systems SilentRaid (also known as MystRodX), a C++-based implant that establishes persistent access to a compromised endpoint and takes a plugin-like approach to communicating with external servers, opening remote shells, configuring port forwarding, and performing file operations
It is worth noting that previous analysis by QiAnXin XLab flagged MystRodX as a variant of ChronosRAT. ChronosRAT is a modular ELF binary with shellcode execution, file management, keylogging, port forwarding, remote shell, screenshot capture, and proxy functionality. Palo Alto Networks Unit 42 is tracking a related threat cluster named CL-STA-0969.
Also deployed by UAT-7290 is a backdoor called Bulbature that is designed to convert compromised edge devices into ORBs. This was first documented by Sekoia in October 2024.
The cybersecurity firm said the threat actor has overlapping tactics and infrastructure with China-linked adversaries known as Stone Panda and RedFoxtrot (also known as Nomad Panda).
“Threat actors perform extensive reconnaissance of target organizations before performing intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices, gain initial access, and escalate privileges on compromised systems,” researchers said. “The attackers appear to be relying on publicly available proof-of-concept exploit code rather than developing their own.”
Source link
