Cyber: China-linked Hackers Use Terndoor, Peertime, Bruteentry In South...
A China-linked advanced persistent threat (APT) actor has been targeting critical telecommunications infrastructure in South America since 2024, targeting Windows and Linux systems and edge devices with three different implants.
The activity is being tracked by Cisco Talos under the moniker UAT-9244, describing it as closely associated with another cluster known as FamousSparrow.
It's worth noting that FamousSparrow is assessed to share tactical overlaps with Salt Typhoon, a China-nexus espionage group known for its targeting of telecommunication service providers. Despite the similar targeting footprint between UAT-9244 and Salt Typhoon, there is no conclusive evidence that ties the two clusters together.
In the campaign analyzed by the cybersecurity company, the attack chains have been found to distribute three previously undocumented implants: TernDoor targeting Windows, PeerTime (aka angrypeer) targeting Linux, and BruteEntry, which is installed on network edge devices.
The exact initial access method used in the attacks is not known, although the adversary has previously targeted systems running outdated versions of Windows Server and Microsoft Exchange Server to drop web shells for follow-on activity.
TernDoor is deployed through DLL side-loading, leveraging the legitimate executable "wsprint.exe" to launch a rogue DLL ("BugSplatRc64.dll") that decrypts and executes the final payload in memory. A variant of Crowdoor (itself a variant of SparrowDoor), the backdoor is said to have been put to use by UAT-9244 since at least November 2024.
It establishes persistence on the host by means of a scheduled task or the Registry Run key. It also exhibits differences with CrowDoor by making use of a disparate set of command codes and embedding a Windows driver to suspend, resume, and terminate processes. Furthermore, it only supports one command-line switch ("-u") to uninstall itself from the host and delete all associated artifacts.
Once launched, it runs a check to make sure that it has been injected into "msiexec.exe," after which it decodes a configuration to extract the command-and-control (C2) parameters. Subsequently, it establishes communication with the C2 server, allowing it to create processes, run arbitrary commands, read/write files, collect system information, and deploy the driver to hide malicious components and manage processes.
Further analysis of the UAT-9244's infrastructure has led to the discovery of a Linux peer-to-peer (P2P) backd
