"A China-linked advanced persistent threat (APT) actor has been targeting critical telecommunications infrastructure in South America since 2024, targeting Windows and Linux systems and edge devices with three different implants. The activity is being tracked by Cisco Talos under the moniker UAT-9244, describing it as closely associated with another cluster known as FamousSparrow."
"TernDoor is deployed through DLL side-loading, leveraging the legitimate executable "wsprint.exe" to launch a rogue DLL ("BugSplatRc64.dll") that decrypts and executes the final payload in memory. A variant of Crowdoor (itself a variant of SparrowDoor), the backdoor is said to have been put to use by UAT-9244 since at least November 2024."
"It establishes persistence on the host by means of a scheduled task or the Registry Run key. It also exhibits differences with CrowDoor by making use of a disparate set of command codes and embedding a Windows driver to suspend, resume, and terminate processes."
A China-nexus advanced persistent threat actor tracked as UAT-9244 has been conducting campaigns against critical telecommunications infrastructure in South America since 2024. The group targets Windows and Linux systems along with network edge devices using three previously undocumented implants: TernDoor for Windows, PeerTime for Linux, and BruteEntry for edge devices. UAT-9244 shares tactical similarities with FamousSparrow and shows overlaps with Salt Typhoon, though no definitive connection exists. The initial access method remains unclear, though the adversary has previously exploited outdated Windows Server and Microsoft Exchange versions. TernDoor uses DLL side-loading via legitimate executables and establishes persistence through scheduled tasks or Registry modifications.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]