China-linked advanced persistent threat (APT) attackers have been targeting critical communications infrastructure in South America since 2024, targeting Windows and Linux systems and edge devices with three different implants.
This activity is being tracked by Cisco Talos as UAT-9244 and is described as being closely related to another cluster known as FamousSparrow.
It is noteworthy that FamousSparrow is assessed as having tactical overlap with Salt Typhoon, a Chinese-aligned spy group known for targeting telecommunications service providers. Despite the similar target footprints of UAT-9244 and Salt Typhoon, there is no conclusive evidence linking the two clusters.
The campaign, analyzed by a cybersecurity firm, found that the attack chain distributed three previously undocumented implants. TernDoor targets Windows, PeerTime (also known as Angrypeer) targets Linux, and BruteEntry installs on network edge devices.
Although the exact initial access method used in this attack is unknown, attackers have previously targeted systems running older versions of Windows Server and Microsoft Exchange Server to drop web shells for subsequent activity.
TernDoor is deployed through DLL sideloading, leveraging a legitimate executable file, ‘wsprint.exe’, to launch a malicious DLL (‘BugSplatRc64.dll’), which decrypts and executes the final payload in memory. This backdoor, a variant of Crowdoor (which is itself a variant of SparrowDoor), is said to have been used by UAT-9244 since at least November 2024.
Establish persistence on the host using a scheduled task or the registry Run key. It also differentiates itself from CrowDoor by utilizing a different set of command codes and embedding a Windows driver to pause, resume, and terminate processes. Additionally, only one command line switch (‘-u’) is supported to uninstall itself from the host and remove all associated artifacts.
Once launched, it performs a check to ensure that it has been injected into ‘msiexec.exe’ and then decodes the configuration and extracts the command and control (C2) parameters. It then establishes communication with the C2 server, allowing it to create processes, execute arbitrary commands, read/write files, gather system information, and deploy drivers that hide malicious components and manage processes.
Further analysis of UAT-9244’s infrastructure revealed a Linux peer-to-peer (P2P) backdoor known as PeerTime. It has been compiled for several architectures (i.e. ARM, AARCH, PPC, MIPS) to infect various embedded systems. ELF backdoors are deployed via shell scripts along with instrumenter binaries.
“The Instrumenter ELF binary uses docker and the docker –q command to check for the presence of Docker on the compromised host,” said Talos researchers Asheer Malhotra and Brandon White. “If Docker is found, the PeerTime loader is executed. The installer consists of a debug string in Simplified Chinese, indicating that it is a custom binary created and deployed by a Chinese-speaking attacker.”
The main purpose of the loader is to decrypt and decompress the final PeerTime payload and execute it directly in memory. There are two types of PeerTime. One version written in C/C++ and a new version programmed in Rust. In addition to having the ability to rename itself as a benign process to avoid detection, the backdoor uses the BitTorrent protocol to obtain C2 information, download files from peers, and execute them on the compromised system.
A series of shell scripts and payloads are also staged on the threat actor’s servers. This includes a brute force scanner codenamed BruteEntry that is installed on edge devices to turn the device into a mass-scanning proxy node in an operational relay box (ORB) capable of brute force attacks against Postgres, SSH, and Tomcat servers.
This is accomplished through a shell script that drops two Golang-based components. One is an orchestrator that provides a BruteEntry, which then connects to the C2 server to obtain a list of IP addresses on which to perform a brute force attack. The backdoor eventually reports a successful login to the C2 server.
“‘Success’ indicates whether the brute force was successful (true or false), and ‘notes’ provides specific information about whether the brute force was successful,” Talos said. “If the login fails, the note will say ‘All credentials have been tried.’ ”
Source link
