China-Linked APT Actors Target South American Telecom Infrastructure with Advanced Malware

In an alarming development for telecommunications security, a China-linked advanced persistent threat (APT) group has been systematically attacking critical telecom infrastructure across South America since early 2024. Cisco Talos researchers are tracking this activity under the designation UAT-9244, noting significant ties to the notorious FamousSparrow threat cluster.

What makes this campaign particularly concerning is its multi-platform approach, targeting Windows servers, Linux systems, and network edge devices simultaneously with three distinct malware families: TernDoor, PeerTime, and BruteEntry.

Understanding the Threat Landscape

Telecommunications infrastructure has long been a prime target for state-sponsored threat actors due to its role in communications interception, intelligence gathering, and establishing persistent access within national networks. This latest campaign represents an escalation in both sophistication and scope, moving beyond opportunistic attacks to deliberate, sustained operations against critical infrastructure.

The targeting of edge devices—often the perimeter's first line of defense—suggests a strategy focused on bypassing traditional security controls by exploiting less-monitored components of the network architecture.

Deep-Dive Technical Analysis

The Malware Arsenal

TernDoor appears to be the primary implant, designed to establish persistent remote access. Based on preliminary analysis, it demonstrates capabilities typical of state-sponsored tools, including:

• Encrypted C2 communications to evade network monitoring
• File system manipulation for data exfiltration
• Process injection for stealthy execution
• Privilege escalation modules

PeerTime functions as a lateral movement and reconnaissance tool, likely mapping network topology and identifying high-value targets within the compromised infrastructure. Its modular design suggests threat actors can adapt its functionality based on the target environment.

BruteEntry specializes in credential harvesting and authentication bypass, particularly targeting edge devices where weak password policies and default credentials remain common issues.

Attack Vectors and TTPs

The UAT-9244 group demonstrates sophisticated tradecraft, employing:

1. Custom exploits for unpatched vulnerabilities in telecom-specific software
2. Supply chain compromise of third-party maintenance tools
3. Legitimate tool abuse using system administration utilities to blend in with normal traffic
4. Living-off-the-land techniques that leverage native system binaries
5. Encryption-based obfuscation to avoid signature-based detection

The association with FamousSparrow is particularly noteworthy, as this cluster has historically focused on hotel and hospitality targets worldwide. This pivot to critical telecommunications suggests either a resource sharing arrangement among multiple APT groups or an evolution of operational priorities.

Detection and Threat Hunting

Defenders should implement proactive hunting for UAT-9244 indicators using the following approaches:

Sentinel/Defender KQL Queries

// Hunt for TernDoor-like suspicious processes
DeviceProcessEvents 
| where FileName in~("powershell.exe", "cmd.exe", "bash", "sh") 
| where ProcessCommandLine has_any("-enc", "-encodedcommand", "Invoke-Expression", "IEX") 
| where ProcessCommandLine has_any("Tern", "PeerTime", "BruteEntry") 
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


// Identify suspicious network connections to known C2 infrastructure
DeviceNetworkEvents 
| where RemoteIP in (dynamic(["192.168.1.100", "10.0.0.50", "172.16.0.1"])) // Replace with actual IOCs
| where NetworkProtocol in~("TCP", "UDP") 
| where RemotePort in (443, 80, 8080, 8443) 
| summarize count() by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName 
| where count_ > 10
| order by count_ desc

PowerShell Scripts for Detection

# Check for signs of persistence mechanisms
function Check-TernDoorIndicators {
    param (
        [string]$ComputerName = $env:COMPUTERNAME
    )
    
    $RegistryPaths = @(
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKLM:\System\CurrentControlSet\Services"
    )
    
    $SuspiciousPatterns = @("TernDoor", "PeerTime", "BruteEntry", "tmp", "temp")
    
    foreach ($path in $RegistryPaths) {
        $items = Get-Item -Path $path -ErrorAction SilentlyContinue
        if ($items) {
            foreach ($property in $items.Property) {
                $value = $items.GetValue($property)
                foreach ($pattern in $SuspiciousPatterns) {
                    if ($value -like "*$pattern*") {
                        Write-Host "Suspicious entry found: $path\$property = $value" -ForegroundColor Red
                    }
                }
            }
        }
    }
}

# Scan for suspicious scheduled tasks
function Get-SuspiciousScheduledTasks {
    $tasks = Get-ScheduledTask
    $suspiciousTasks = @()
    
    foreach ($task in $tasks) {
        if ($task.Actions.Execute) {
            if ($task.Actions.Execute -match "powershell" -and 
                $task.Actions.Arguments -match "-enc|-encodedcommand") {
                $suspiciousTasks += $task
            }
        }
    }
    
    return $suspiciousTasks
}

Bash Scripts for Linux Systems

#!/bin/bash
# Hunt for Linux-based TernDoor indicators

# Check for suspicious processes
echo "Checking for suspicious processes..."
ps aux | grep -E '(TernDoor|PeerTime|BruteEntry|/tmp/.*\.sh|/dev/shm)' | grep -v grep

# Check for unusual network connections
echo "Checking network connections..."
netstat -antp 2>/dev/null | grep -E 'ESTABLISHED|LISTEN' | awk '{print $7}' | sort -u | xargs -I {} sh -c 'ps -p {} -o pid,ppid,cmd' 2>/dev/null

# Check for persistence mechanisms
echo "Checking crontab entries..."
for user in $(cut -d: -f1 /etc/passwd); do
    crontab -l -u $user 2>/dev/null | grep -v '^#'
done

# Check systemd services
echo "Checking systemd services..."
systemctl list-units --type=service --all | grep -E 'running|enabled'

# Look for suspicious files in common drop locations
echo "Checking suspicious file locations..."
find /tmp /dev/shm /var/tmp -type f \( -name ".*.sh" -o -name ".*.so" -o -name ".*.elf" \) -ls 2>/dev/null

Mitigation Strategies

Organizations should implement the following layered defense approach:

1. Immediate Actions

# Patch management for known vulnerable telecom infrastructure
sudo apt-get update && sudo apt-get upgrade -y  # For Debian/Ubuntu systems
sudo yum update -y  # For RHEL/CentOS systems

# Disable unnecessary services
sudo systemctl disable telnet.socket
sudo systemctl stop telnet.socket

2. Network Segmentation

# Example Zero Trust network policy for telecom environments
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: telecom-segmentation
spec:
  podSelector:
    matchLabels:
      tier: telecom-core
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          tier: telecom-edge
    ports:
    - protocol: TCP
      port: 443
  egress:
  - to:
    - namespaceSelector: {}

3. Edge Device Hardening

• Implement strict password policies: Minimum 12 characters with complexity requirements
• Disable default credentials: Create unique credentials for each deployment
• Enable multi-factor authentication: For all administrative access
• Regular firmware updates: Maintain a schedule of security updates
• Secure remote access: Use VPNs with certificate-based authentication instead of direct management interfaces

4. Monitoring Enhancements

Deploy extended detection and response (XDR) capabilities covering:

• Network flow analysis with machine learning-based anomaly detection
• Endpoint detection and response (EDR) across all system types
• User and entity behavior analytics (UEBA) focusing on administrative accounts
• Cloud workload protection for virtualized telecom infrastructure

5. Supply Chain Security

# Python script for verifying software integrity
def verify_software_integrity(file_path, expected_hash):
    import hashlib
    
    sha256_hash = hashlib.sha256()
    with open(file_path, "rb") as f:
        # Read and update hash string value in blocks of 4K
        for byte_block in iter(lambda: f.read(4096), b""):
            sha256_hash.update(byte_block)
    
    actual_hash = sha256_hash.hexdigest()
    
    if actual_hash == expected_hash:
        return True
    else:
        print(f"Hash mismatch for {file_path}")
        print(f"Expected: {expected_hash}")
        print(f"Actual: {actual_hash}")
        return False

# Example usage
verify_software_integrity("/opt/telecom/config.bin", "a1b2c3d4e5f6...")

Executive Takeaways

1. Critical infrastructure remains a prime target for state-sponsored actors, particularly telecommunications with its national security implications.

2. Multi-platform malware represents the new normal in sophisticated campaigns, requiring unified defense approaches across Windows, Linux, and edge devices.

3. Edge devices require dedicated security as they're increasingly being used as initial entry points for persistent threats.

4. Proactive threat hunting is essential for detecting stealthy operations that bypass traditional security controls.

5. Supply chain security must be elevated as attackers increasingly compromise trusted maintenance channels and third-party software.

The UAT-9244 campaign serves as a stark reminder that the threat landscape continues to evolve, with adversaries developing increasingly sophisticated tools specifically designed to exploit the unique challenges of securing critical telecommunications infrastructure.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub