"A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid, according to a Cisco Talos report published today."
""In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise's network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes," researchers Asheer Malhotra, Vitor Ventura, and Brandon White said. "The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage-motivated threat actor as well as an initial access group.""
UAT-7290 has been active since at least 2022 and conducts extensive technical reconnaissance prior to intrusions. The actor primarily targets telecommunications providers in South Asia and has recently expanded operations into Southeastern Europe. The threat group uses a combination of open-source malware, custom tooling, and one-day exploits against edge networking products. A Linux-based malware suite (RushDrop dropper, DriveSwitch peripheral, and SilentRaid persistent C++ implant) is central to operations, supplemented by Windows implants like RedLeaves (BUGJUICE) and ShadowPad. UAT-7290 also establishes Operational Relay Box (ORB) nodes that can be reused by other China-nexus actors, functioning as both espionage and initial-access infrastructure.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]