Reconnaissance
Initial Probing and Target Identification
The threat actor, UAT-9244, actively scanned for and identified telecommunication service providers in South America as targets, likely gathering information about their infrastructure and potential vulnerabilities.
Weaponization
Development of Custom Malware Toolkit
UAT-9244 developed and deployed three new malware families: TernDoor (Windows backdoor), PeerTime (Linux P2P backdoor), and BruteEntry (brute-force scanner/ORB builder), tailored for compromising diverse telecom network devices.
Initial Access
Exploiting Vulnerabilities and Deploying Backdoors
The attackers gained initial access by deploying TernDoor via DLL side-loading on Windows systems and PeerTime on Linux/embedded devices, likely exploiting unpatched vulnerabilities or weak configurations.
Execution
In-Memory Payload Execution and Process Hollowing
TernDoor decrypts and executes its payload in memory, injecting it into legitimate processes like 'msiexec.exe'. PeerTime also decrypts and loads its payload in memory, renaming its process to appear legitimate.
Persistence
Establishing Footholds via Scheduled Tasks and Registry
TernDoor achieves persistence through scheduled tasks and Windows Registry modifications, while PeerTime likely uses similar mechanisms on Linux systems to maintain access.
Privilege Escalation
Leveraging System Drivers and Brute-Force Scanning
TernDoor utilizes an embedded Windows driver (WSPrint.sys) for process manipulation. BruteEntry actively scans for and attempts to brute-force access to SSH, Postgres, and Tomcat services, potentially escalating privileges.
Defense Evasion
Obfuscation and Legitimate Process Masquerading
The malware employs techniques like DLL side-loading, in-memory execution, and process renaming to evade detection. BruteEntry's use of ORBs also helps obscure the origin of scanning activities.
Command and Control
P2P Communication via BitTorrent Protocol
PeerTime utilizes the BitTorrent protocol for its command and control (C2) communications, allowing it to download payloads and receive instructions from peers, making C2 traffic harder to distinguish from legitimate network activity.
Lateral Movement
Building Proxy Infrastructure (ORBs) for Scanning
BruteEntry turns compromised devices into Operational Relay Boxes (ORBs), which are then used to scan for new targets and perform brute-force attacks, facilitating lateral movement within the network and beyond.
Collection
Information Gathering and Reconnaissance
TernDoor is capable of collecting system information. BruteEntry's scanning and brute-force activities are a form of ongoing reconnaissance to identify new targets and access points.
Exfiltration
Data Transfer and Command Execution
While not explicitly detailed as exfiltration in this report, the backdoors (TernDoor, PeerTime) are designed to execute commands, read/write files, and collect system information, which are precursors to data exfiltration.
Impact
Disruption and Espionage in Telecommunication Networks
The ultimate impact of UAT-9244's activities is likely the disruption of critical telecommunication services and potential espionage, leveraging compromised infrastructure for further attacks or intelligence gathering.
