China-Linked Cyber Attacks Target South American Telecoms with Advanced Malware
Since 2024, a sophisticated cyber espionage campaign attributed to a China-linked advanced persistent threat (APT) group, designated as UAT-9244 by Cisco Talos, has been targeting critical telecommunications infrastructure across South America. This group has deployed a trio of previously undocumented malware implants—TernDoor, PeerTime, and BruteEntry—designed to infiltrate Windows and Linux systems, as well as network edge devices.
Overview of UAT-9244 and Its Connections
UAT-9244’s activities bear a close resemblance to those of another threat cluster known as FamousSparrow. Notably, FamousSparrow shares tactical overlaps with Salt Typhoon, a China-nexus espionage group notorious for targeting telecommunication service providers. Despite these similarities, definitive evidence linking UAT-9244 directly to Salt Typhoon remains elusive.
Deployment and Functionality of TernDoor
TernDoor, a Windows-targeting backdoor, is introduced into systems through DLL side-loading. The attackers exploit a legitimate executable, wsprint.exe, to load a malicious DLL named BugSplatRc64.dll, which decrypts and executes the final payload in memory. This backdoor, a variant of CrowDoor (itself derived from SparrowDoor), has been in use by UAT-9244 since at least November 2024.
To maintain persistence, TernDoor employs scheduled tasks or modifies the Registry Run key. It distinguishes itself from CrowDoor by utilizing a different set of command codes and incorporating a Windows driver capable of suspending, resuming, and terminating processes. Additionally, it supports a single command-line switch (-u) to uninstall itself and remove all associated artifacts.
Upon execution, TernDoor verifies its injection into msiexec.exe, decodes its configuration to extract command-and-control (C2) parameters, and establishes communication with the C2 server. This connection enables the backdoor to create processes, execute arbitrary commands, read and write files, gather system information, and deploy the driver to conceal malicious components and manage processes.
Introduction of PeerTime: A Linux P2P Backdoor
Further investigation into UAT-9244’s infrastructure revealed PeerTime, a Linux-based peer-to-peer (P2P) backdoor. Compiled for multiple architectures—including ARM, AARCH, PPC, and MIPS—PeerTime is designed to infect a wide range of embedded systems. Deployment involves a shell script that installs both the ELF backdoor and an accompanying instrumentor binary.
The instrumentor binary checks for Docker’s presence on the compromised host using commands like docker and docker –q. If Docker is detected, the PeerTime loader is executed. Notably, the instrumentor contains debug strings in Simplified Chinese, suggesting its development by Chinese-speaking threat actors.
The loader’s primary function is to decrypt and decompress the final PeerTime payload, executing it directly in memory. PeerTime exists in two versions: one written in C/C++ and a newer variant developed in Rust. To evade detection, the backdoor can rename itself to mimic benign processes. It utilizes the BitTorrent protocol to retrieve C2 information, download files from peers, and execute them on the compromised system.
BruteEntry: Exploiting Network Edge Devices
UAT-9244 also employs BruteEntry, a tool installed on network edge devices to transform them into mass-scanning proxy nodes within an Operational Relay Box (ORB). This setup facilitates brute-force attacks on Postgres, SSH, and Tomcat servers.
The process begins with a shell script that deploys two Golang-based components: an orchestrator that delivers BruteEntry, which then contacts a C2 server to obtain a list of IP addresses targeted for brute-force attacks. The backdoor reports successful logins back to the C2 server, indicating whether the brute-force attempt was successful and providing specific notes on the outcome.
Implications and Broader Context
The deployment of TernDoor, PeerTime, and BruteEntry underscores the evolving tactics of China-linked APT groups in targeting telecommunications infrastructure. These sophisticated tools enable attackers to maintain prolonged access, exfiltrate sensitive data, and potentially disrupt critical services.
This campaign is part of a broader pattern of cyber espionage activities attributed to Chinese threat actors. For instance, in November 2024, Salt Typhoon exploited vulnerabilities in U.S. telecommunications companies, including T-Mobile, to access valuable information. Similarly, in June 2024, a China-nexus cyber espionage actor infiltrated an East Asian firm for three years using legacy F5 BIG-IP appliances as internal command-and-control servers.
These incidents highlight the persistent and adaptive nature of China-linked cyber threats, emphasizing the need for robust cybersecurity measures, regular system updates, and comprehensive monitoring to detect and mitigate such sophisticated attacks.
