Cyber: Chinese State Hackers Target Telcos With New Malware Toolkit

A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices.

According to Cisco Talos researchers, the adversary is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster.

This assessment has high confidence and is based on similar tooling, tactics, techniques, and procedures (TTPs), and victimology observed in attacks attributed to the threat actors.

The researchers note that while UAT-9244 shares the same target profile as Salt Typhoon, they could not establish a solid connection between the two activity clusters.

The researchers found that the campaign used three previously undocumented malware families: TernDoor, a Windows backdoor; PeerTime, a Linux backdoor that uses BitTorrent; and BruteEntry, a brute-force scanner that builds proxy infrastructure (ORBs).

TernDoor is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll, which decrypts and executes the final payload in memory (injected into msiexec.exe).

The malware contains an embedded Windows driver, WSPrint.sys, which is used to terminate, suspend, and resume processes.

Persistence is achieved via scheduled tasks and Windows Registry modifications, which are also used to hide the scheduled task.

Additionally, TernDoor can execute commands via remote shell, run arbitrary processes, read/write files, collect system information, and self-uninstall.

PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS), suggesting it was designed to compromise a broad range of embedded systems and network devices used in telecom environments.

Source: BleepingComputer