Full Report
Cisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced persistent threat (APT) actor closely associated with Famous Sparrow.
Analysis Summary
# Threat Actor: UAT-9244
## Attribution & Identity
* **Identification:** UAT-9244 is assessed with high confidence as a **China-nexus** advanced persistent threat (APT) actor.
* **Associated Groups:**
* **FamousSparrow:** High confidence operational association; utilizes variants of the same malware families.
* **Tropic Trooper:** Overlaps identified in tooling and TTPs.
* **Earth Estries:** Shared use of the CrowDoor malware family.
* **Salt Typhoon:** Both target telecommunications, though no definitive link has been established.
## Activity Summary
Since at least 2024, UAT-9244 has been engaged in a sustained campaign targeting critical telecommunications infrastructure in South America. The actor utilizes a triad of malware implants (Windows-based, Linux-based, and network edge device-based) to maintain persistent access and perform lateral movement. Notable activity includes the development and deployment of the "TernDoor" backdoor as recently as November 2024.
## Tactics, Techniques & Procedures
* **Execution & Persistence:**
* **DLL Side-Loading (T1574.002):** Using benign executables (e.g., `wsprint[.]exe`) to load malicious DLLs (`BugSplatRc64[.]dll`).
* **Registry Run Keys / Startup Folder (T1547.001):** Setting registry keys to execute on login.
* **Scheduled Task/Job (T1053.005):** Creating tasks named "WSPrint" to run as the SYSTEM user.
* **Defense Evasion:**
* **Indicator Removal (T1070):** Modifying registry keys to hide scheduled tasks.
* **De-obfuscation/Decoding:** Using custom keys (e.g., `qwiozpVngruhg123`) to decrypt stage payloads in memory.
* **Driver Deployment:** Using an embedded AES-encrypted Windows driver (.sys) to manipulate (suspend/terminate) system processes.
* **Lateral Movement & Discovery:**
* **Brute Force (T1110):** Mass-scanning and attempting to brute-force SSH, Postgres, and Tomcat servers.
* **Command and Control:**
* **Peer-to-Peer Subversion:** Use of the BitTorrent protocol for C2 communication via the PeerTime backdoor.
* **ORB Networks:** Converting network edge devices into Operational Relay Boxes to proxy malicious traffic.
## Targeting
* **Sectors:** Telecommunications, Critical Infrastructure.
* **Geography:** South America.
* **Victims:** Major telecommunication providers; specifically targets Windows endpoints, Linux systems, and network edge devices.
## Tools & Infrastructure
* **Malware Families:**
* **TernDoor:** A new Windows-based variant of CrowDoor/SparrowDoor.
* **PeerTime:** An ELF-based (Linux) backdoor using BitTorrent for C2.
* **BruteEntry:** A brute-force scanner used on edge devices to create ORB nodes.
* **Infrastructure (Defanged):**
* **IPs:** `185[.]196[.]10[.]247`, `185[.]196[.]10[.]38`, `212[.]11[.]64[.]105`.
* **Domains:** `bloopencil[.]net`, `xtibh[.]com`, `xcit76[.]com`.
## Implications
UAT-9244 represents a highly technical and disciplined adversary focused on long-term espionage within South American telecommunications. Their use of custom BitTorrent-based C2 and the conversion of edge devices into ORBs indicates a sophisticated effort to bypass traditional perimeter security and signature-based detection. The overlap with known groups like FamousSparrow suggests a shared development resource or a broader organizational structure within Chinese state-sponsored operations.
## Mitigations
* **Endpoint Defense:** Monitor for unusual DLL side-loading activity and unauthorized creation of scheduled tasks, particularly those involving modifications to `TaskCache` registry keys.
* **Network Monitoring:** Implement detection for BitTorrent protocol traffic originating from critical servers or non-user endpoints (PeerTime detection).
* **Edge Device Security:** Regularly audit and patch network edge devices; monitor for the installation of unauthorized scanning tools or unauthorized SSH login attempts (BruteEntry detection).
* **Identity Management:** Enforce strong password policies and multi-factor authentication (MFA) on all internet-facing services like SSH, Postgres, and Tomcat to mitigate brute-force attacks.