Full Report
A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices. [...]
Analysis Summary
# Threat Actor: UAT-9244
## Attribution & Identity
* **Identification:** UAT-9244 is a China-linked Advanced Persistent Threat (APT) actor.
* **Aliases/Associations:**
* Closely associated with **FamousSparrow** and **Tropic Trooper** based on shared tooling, TTPs, and victimology.
* Shares a similar target profile (telecoms) with **Salt Typhoon**, though a direct connection has not been definitively established.
* **Origin:** Attributed to China, supported by the presence of Simplified Chinese debug strings found in the instrumentor binary.
## Activity Summary
Since 2024, UAT-9244 has been conducting a sophisticated campaign targeting telecommunication service providers in South America. The actor utilizes a custom malware toolkit—including Windows backdoors, Linux peer-to-peer (P2P) malware, and distributed scanning tools—to compromise Windows systems, Linux servers, and network-edge devices.
## Tactics, Techniques & Procedures
* **Execution & Injection:**
* **DLL Side-Loading:** Uses legitimate executables (e.g., *wsprint.exe*) to load malicious code from *BugSplatRc64.dll*.
* **Process Injection:** Injects payloads into *msiexec.exe*.
* **Persistence:**
* Scheduled tasks (often hidden via registry modifications).
* Windows Registry modifications.
* **Evasion & Stealth:**
* Renaming malicious processes to mimic legitimate system files.
* Memory-only execution of decrypted payloads.
* Use of a Windows driver (*WSPrint.sys*) to manipulate (terminate/suspend) security or system processes.
* **Command & Control:**
* Use of the BitTorrent protocol for P2P communication (PeerTime).
* **Lateral Movement & Discovery:**
* Brute-force attacks against SSH, Postgres, and Tomcat.
* Creation of Operational Relay Box (ORB) networks using compromised devices to mask scanning activity.
## Targeting
* **Sectors:** Telecommunications.
* **Geography:** South America.
* **Victims:** Telecommunication service providers; specifically targets Windows, Linux, and embedded/network-edge architectures (ARM, AARCH, PPC, MIPS).
## Tools & Infrastructure
* **Malware Families:**
* **TernDoor:** A Windows backdoor capable of remote shell execution, file manipulation, and system information collection.
* **PeerTime:** A P2P Linux backdoor (variants in C/C++ and Rust) using BitTorrent for C2; targets multiple architectures to compromise routers and edge devices.
* **BruteEntry:** A Go-based scanner and instrumentor used to turn devices into ORBs and conduct brute-force attacks.
* **Infrastructure:**
* **C2:** Distributed P2P network (BitTorrent).
* **Operational Relay Boxes (ORBs):** Uses compromised victim infrastructure to conduct further scanning and attacks.
* **Defanged Indicators:**
* Files: *wsprint[.]exe*, *BugSplatRc64[.]dll*, *WSPrint[.]sys*
## Implications
UAT-9244 demonstrates a high level of technical proficiency by developing cross-platform malware capable of running on various hardware architectures common in telecom environments. The use of P2P protocols for C2 and the conversion of victim hardware into ORBs complicates traditional perimeter defense and attribution, suggesting a long-term strategic interest in South American communications infrastructure for intelligence collection or disruption.
## Mitigations
* **Edge Device Monitoring:** Implement rigorous monitoring of network-edge devices (routers, switches) for unauthorized binary execution or process renaming.
* **DLL Side-Loading Prevention:** Use application whitelisting and monitor for unusual DLLs being loaded by legitimate system executables like *wsprint.exe*.
* **Traffic Analysis:** Inspect network traffic for BitTorrent protocol usage originating from critical servers or network infrastructure, which may indicate PeerTime C2 activity.
* **Account Security:** Enforce strong password policies and multi-factor authentication (MFA) to defend against the brute-force capabilities of BruteEntry (SSH, Postgres, Tomcat).
* **Log Auditing:** Monitor Windows Registry and Scheduled Tasks for "hidden" entries or modifications used for persistence.