In the evolving landscape of cyber warfare, critical infrastructure remains the ultimate prize. Recently, the threat intelligence team at Cisco Talos shed light on a concerning campaign by a threat cluster they track as UAT-9244. This China-linked Advanced Persistent Threat (APT) group has set its sights on the telecommunications backbone of South America, utilizing a sophisticated arsenal of malware implants to compromise Windows and Linux systems alike.
While the headline involves specific malware names like TernDoor, PeerTime, and BruteEntry, the deeper story is one of strategic espionage and the systematic targeting of edge devices. As these attacks have been active since 2024, it is crucial for security leaders to understand the mechanics of this intrusion to defend their networks.
The Threat Actor: UAT-9244 and FamousSparrow
UAT-9244 is not operating in a vacuum. Talos has noted strong overlaps between this cluster and the notorious FamousSparrow group, a threat actor historically known for targeting hotel networks, ISPs, and governments worldwide. The move toward South American telcos suggests a shift in focus toward intercepting communications and gathering intelligence on a regional scale.
By targeting both Windows and Linux environments—specifically edge devices which are often notoriously difficult to patch and monitor—the actors are exploiting the "soft underbelly" of enterprise networks. Once inside, they deploy a trio of tools designed to maintain persistence, harvest credentials, and move laterally.
Technical Analysis: The Implant Trio
The attack leverages three distinct implants, each serving a specific purpose in the kill chain:
-
TernDoor: This modular backdoor is the primary payload. It is designed to provide the attackers with remote control capabilities, allowing them to execute shell commands, upload/download files, and update their own configuration to evade detection. Its modular nature allows it to swap out functionality based on the victim's environment (Linux or Windows).
-
BruteEntry: True to its name, this component is a specialized utility focused on authentication. It facilitates brute-force attacks or credential stuffing against internal services. Once an edge device is compromised, BruteEntry helps the attackers pivot to adjacent systems by cracking weak passwords or reusing stolen credentials.
-
PeerTime: Persistence is key for APTs. PeerTime appears to be a scheduling or timing mechanism used to maintain a presence on the host. It likely disguises its activity within legitimate system schedules or creates hidden tasks to trigger the other malware at specific intervals, reducing the footprint during active scanning.
Detection and Threat Hunting
Defending against UAT-9244 requires visibility into both Linux and Windows endpoints. Organizations should focus their hunting efforts on unusual process executions, particularly on edge devices like routers or gateways running Linux.
Hunting for Suspicious Processes (Bash)
The following Bash script can be used to scan for processes that might be associated with the TernDoor or BruteEntry implants, or generic indicators of suspicious activity on Linux endpoints:
#!/bin/bash
# Check for processes with common backdoor names or suspicious network behavior
echo "Checking for suspicious processes..."
ps aux | grep -E '(TernDoor|PeerTime|BruteEntry|/tmp/.|/dev/shm/.)' | grep -v grep
# Check for established connections to non-standard ports or unknown IPs
echo "Checking established connections..."
netstat -antp 2>/dev/null | grep ESTABLISHED | awk '{print $7}' | cut -d'/' -f2 | sort | uniq -c | sort -nr | head -n 10
KQL Queries for Microsoft Sentinel
If you are utilizing Microsoft Sentinel or Defender for Endpoint, use the following KQL query to detect potential indicators of compromise (IOCs) or behavior associated with these implants. This query looks for process creation events with filenames matching the known malware or suspicious command-line arguments.
DeviceProcessEvents
| where Timestamp >= ago(30d)
| where FileName in~ ("TernDoor", "PeerTime", "BruteEntry")
or ProcessCommandLine contains "brute"
or ProcessCommandLine contains "reverse"
| extend DeviceCustomEntity = DeviceName, AccountCustomEntity = AccountName, IPCustomEntity = InitiatingProcessAccountObjectId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName
Mitigation Strategies
Detecting these threats is only half the battle. To harden your telecommunications infrastructure against UAT-9244 and similar APTs, implement the following controls:
-
Secure Edge Devices: Ensure that all Linux-based edge devices (routers, firewalls, gateways) are running the latest firmware. Disable unused services and ports, and enforce strict SSH key management—password authentication should be disabled where possible.
-
Network Segmentation: Isolate critical telecom infrastructure from the general corporate network. If an edge device is compromised, segmentation prevents the attacker from using BruteEntry to pivot to sensitive backend servers.
-
Behavioral Monitoring: Traditional signature-based antivirus may miss modular backdoors like TernDoor. Implement Endpoint Detection and Response (EDR) solutions that monitor for process injection, unusual scheduled task creation (like PeerTime), and anomalous network traffic.
-
Credential Hygiene: Given the use of credential-theft tools, rotate credentials regularly for administrative accounts and enforce Multi-Factor Authentication (MFA) for all remote access points.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.