A China-linked hacking group has been systematically targeting telecommunications companies across South America since 2024. This group, known as UAT-9244, is deploying a trio of new malware implants to penetrate critical network infrastructure.
Targeting Telecommunications Infrastructure
UAT-9244, an advanced persistent threat (APT) group, has focused its efforts on both Windows and Linux-based systems, as well as on network edge devices essential for telecom operations. These attacks are characterized by their strategic approach to compromising and expanding control over these networks.
The group’s arsenal includes three distinct malware tools. TernDoor, a Windows backdoor, is a new iteration of the previously documented CrowDoor malware. PeerTime, a Linux-based tool, utilizes the BitTorrent protocol for communication, blending in with legitimate network traffic. BruteEntry, the third tool, transforms compromised devices into relay boxes that brute-force access to various servers.
Links to Known APT Groups
Cisco Talos researchers have connected UAT-9244 with other China-nexus APTs like FamousSparrow and Tropic Trooper. This connection is based on shared tools, tactics, and targeted victims. TernDoor, for example, can trace its lineage back to SparrowDoor, associated with FamousSparrow.
Furthermore, the PeerTime tool contains debug strings in Simplified Chinese, indicating the involvement of Chinese-speaking threat actors. The operation’s extensive infrastructure includes a shared SSL certificate linked to multiple IP addresses, showcasing a well-resourced network.
Malware Techniques and Mitigation
TernDoor’s deployment involves DLL side-loading, where a benign executable loads a malicious file. This method allows the malware to evade file-based detection. Once active, TernDoor injects itself into a Windows process, executes remote commands, and communicates with its operator.
To maintain persistence, TernDoor creates scheduled tasks and alters registry keys. It also installs a Windows driver that can disable security tools. Security teams are advised to audit system tasks, monitor for DLL side-loading, and block known C2 IP addresses as part of their defense strategy.
The ongoing threat posed by UAT-9244 underscores the importance of robust cybersecurity measures in the telecommunications sector. By understanding and mitigating these sophisticated attacks, organizations can better protect their critical infrastructure.
