A China-linked advanced persistent threat group has targeted critical telecommunications infrastructure in South America since 2024 using three previously undocumented implants, a technical analysis by Cisco Talos said.
KEY FACTS
- Incident Targeting of telecommunications infrastructure in South America since 2024
- Implants TernDoor for Windows, PeerTime for Linux, BruteEntry for edge devices
- Technique TernDoor uses DLL side-loading via wsprint.exe and an embedded driver
- Impact Edge devices can be converted into brute-force relay nodes
The cluster tracked as UAT-9244 has been active since at least November 2024. It shares tactical overlap with a cluster known as FamousSparrow and shows assessed similarities to Salt Typhoon, but no conclusive link has been established.
TernDoor is deployed via DLL side-loading using the legitimate wsprint.exe to launch a rogue BugSplatRc64.dll that decrypts and executes the final payload in memory. It establishes persistence with a scheduled task or the Registry Run key and embeds a Windows driver to suspend resume and terminate processes. The backdoor supports a single command line switch “-u” to uninstall and remove artifacts.
PeerTime is a Linux peer to peer backdoor compiled for ARM AARCH PPC and MIPS and delivered with an instrumentor and shell scripts. The instrumentor checks for Docker and contains debug strings in Simplified Chinese. A loader decrypts and executes the payload in memory. The backdoor uses the BitTorrent protocol to obtain C2 information and can rename itself to resemble benign processes. Two variants exist one in C C++ and a newer one in Rust.
BruteEntry is a brute force scanner installed on edge devices by shell scripts that drop two Go components. An orchestrator deploys BruteEntry which contacts a C2 server for lists of IP addresses to target for brute forcing Postgres SSH and Tomcat servers. Successful login attempts are reported back to the C2 server.
WHY IT MATTERS
Compromise of telecommunications infrastructure and the conversion of edge devices into brute force relay nodes increase risks to network stability and data confidentiality. Operators should prioritize patching removing exposed services and monitoring for unusual scanning and proxying activity.