China-Linked Cyber Group UAT-9244 Targets South American Telecoms with Advanced Malware
Since 2024, a sophisticated cyber espionage campaign has been targeting telecommunications providers across South America. The group behind these attacks, identified as UAT-9244, has deployed a suite of custom malware designed to infiltrate and control critical network infrastructure.
Malware Arsenal and Tactics
UAT-9244’s toolkit comprises three primary malware implants:
1. TernDoor: A Windows-based backdoor, TernDoor is an evolution of the previously documented CrowDoor malware. It employs DLL side-loading techniques to execute malicious code in memory, thereby evading traditional file-based detection methods. Once active, TernDoor injects itself into legitimate Windows processes, such as `msiexec.exe`, to conceal its presence. It is capable of executing remote commands, managing files, and collecting system information.
2. PeerTime: This Linux-based backdoor utilizes the BitTorrent protocol for command and control communications. By leveraging peer-to-peer traffic, PeerTime’s activities blend seamlessly with regular network operations, making detection challenging.
3. BruteEntry: Targeting network edge devices, BruteEntry transforms compromised hardware into Operational Relay Boxes (ORBs). These ORBs are then used to conduct brute-force attacks on SSH, PostgreSQL, and Apache Tomcat servers, facilitating further network penetration and establishing additional footholds.
Attribution and Connections
Cisco Talos researchers have linked UAT-9244 with high confidence to other known China-nexus Advanced Persistent Threat (APT) groups, including FamousSparrow and Tropic Trooper. This assessment is based on shared tools, overlapping tactics, and similar victim profiles. Notably, TernDoor’s lineage traces back through CrowDoor to SparrowDoor, a backdoor associated with FamousSparrow. Additionally, the PeerTime instrumentor binary contains debug strings in Simplified Chinese, indicating the involvement of Chinese-speaking operators.
Scope and Implications
The scale of UAT-9244’s operations is significant. Researchers identified a shared SSL certificate linked to 18 IP addresses, suggesting a well-resourced and expansive command-and-control infrastructure. While both UAT-9244 and another group, Salt Typhoon, target telecommunications providers, no direct connection between the two has been confirmed. However, the focus of multiple China-aligned actors on telecom infrastructure underscores the strategic value of these networks for state-sponsored intelligence gathering.
Infection Chain and Persistence Mechanisms
TernDoor’s deployment begins with DLL side-loading, where a benign executable (`wsprint.exe`) loads a malicious DLL (`BugSplatRc64.dll`). This loader decrypts and executes shellcode entirely in memory, bypassing file-based detection. The shellcode then decompresses and launches TernDoor, which injects itself into legitimate processes to evade detection. To maintain persistence, TernDoor creates scheduled tasks and modifies registry keys, ensuring it remains active across system reboots.
Conclusion
The activities of UAT-9244 highlight the evolving threat landscape faced by telecommunications providers. The group’s sophisticated malware suite and strategic targeting of critical infrastructure components emphasize the need for robust cybersecurity measures and continuous monitoring to detect and mitigate such advanced threats.
