UAT-9244: The Evolving Threat from China
In a significant escalation in cyber espionage activities, a highly sophisticated threat actor linked to China, known as UAT-9244, has been actively targeting critical telecommunications infrastructure throughout South America since 2024. Security researchers have gained high confidence that UAT-9244 shares operational methodologies with established cyber-espionage groups, such as FamousSparrow and Tropic Trooper. This connection suggests a shared aim: to infiltrate networks where sensitive data resides, thereby compromising national security interests.
Malware Arsenal: A Three-Pronged Assault
To ensure a robust foothold in victim networks, UAT-9244 has developed a unique three-stage malware arsenal tailored for its operations. According to ground-breaking research by Cisco Talos, this advanced persistent threat (APT) group employs both Windows and Linux malware to infiltrate various endpoints and network edge devices.
UAT-9244’s first and foremost weapon is a backdoor called “TernDoor.” This custom Windows backdoor represents a newly evolved variant of an older piece of malware known as CrowDoor. TernDoor utilizes dynamic-link library (DLL) side-loading as a technique to circumvent existing security measures. The attackers cleverly execute a seemingly innocuous file named “wsprint.exe,” which stealthily loads a malicious DLL. This loader is then responsible for decrypting a final payload that facilitates deeper infiltration.
With TernDoor in play, the attackers can execute arbitrary remote commands, manage files, and collect sensitive system data. Additionally, TernDoor implements an embedded Windows driver, labeled “WSPrint.sys,” which is capable of suspending or terminating security processes, thereby enhancing its stealth capabilities.
Interestingly enough, TernDoor’s design features a command-line switch, "-u," which allows attackers to easily uninstall the malware, effectively covering their tracks as they withdraw from a compromised environment.
The second component in UAT-9244’s toolkit is “PeerTime,” an ELF-based backdoor tailored for Linux and embedded systems, including architectures like ARM and MIPS. Also identified as “angrypeer,” PeerTime intelligently employs the BitTorrent peer-to-peer protocol for communication with its command and control (C2) servers. This unique approach enables it to download additional payloads from compromised peers while utilizing the BusyBox utility for deployment throughout the network.
Completing the arsenal is “BruteEntry,” a GoLang-based brute-force scanner. This tool is typically deployed on compromised network edge devices, converting them into Operational Relay Boxes (ORBs). Through these proxy nodes, BruteEntry receives target lists from the C2 server and conducts mass automated scanning against servers running SSH, Postgres, and Tomcat protocols. This method greatly expands the threat actor’s reach and impact.
Technical Operations and Evasion Techniques
To ensure that its malware remains hidden and persistent, UAT-9244 employs specialized deployment mechanisms. For Windows systems infected with TernDoor, the threat actors establish a persistence method by creating hidden scheduled tasks or by modifying Registry Run keys. They execute an automated task with carefully crafted commands to ensure TernDoor’s survival, even after system reboots.
In Linux environments, UAT-9244 takes advantage of custom shell scripts that contain simplified Chinese debug strings specifically designed for deploying PeerTime. The malware verifies whether it exists within container environments and utilizes Docker to execute its loader when available. This strategic flexibility further bolsters the group’s effectiveness.
For the BruteEntry component, the malware dutifully registers the newly infected host with the C2 server, sending along the infected machine’s IP address and hostname. It requests batches of vulnerable IP addresses for targeted attacks, and any successful intrusions are systematically reported back to the command server in a structured JSON format, confirming the targets compromised during the operation.
Conclusion
By integrating the Windows-focused TernDoor backdoor, the BitTorrent-driven PeerTime network, and the mass-scanning capabilities of BruteEntry, UAT-9244 has crafted a sophisticated and stealthy framework for infiltrating telecommunication environments. The implications of such threats are far-reaching, particularly in an age where cyber warfare is becoming increasingly critical to national security strategies. As cybersecurity professionals continue to analyze and counter these advancements, the necessity for robust defense mechanisms has never been more apparent.