China-Linked Hackers Use TurnDoor, PeerTime, BruteEntry in South American Telecom Attacks
An actor linked to China-advanced persistent threat (APT) has been targeting the most important telecommunications infrastructure in South America since 2024, targeting Windows and Linux systems and edge devices with three different implants.
The operation is followed by Cisco Talos under the moniker UAT-9244describes it as closely related to another collection known as FamousSparrow.
It’s worth noting that FamousSparrow is being tested to share tactical overlap with Salt Typhoon, a China-nexus spy group known for its targeting of telecommunications service providers. Despite identifying similarities between UAT-9244 and Salt Storm, there is no conclusive evidence linking the two clusters together.
In a campaign analyzed by a cybersecurity company, attack chains were found to spread three previously undocumented exploits: TernDoor targeting Windows, PeerTime (aka angrypeer) targeting Linux, and BruteEntry, installed on network edge devices.
The exact initial access method used in the attack is unknown, although the adversary has previously targeted systems running outdated versions of Windows Server and Microsoft Exchange Server to drop web shells to perform the following task.
TernDoor is implemented via DLL sideloading, using the official “wsprint.exe” executable to launch a robust DLL (“BugSplatRc64.dll”) that decrypts and executes the last payload in memory. A variant of Crowdoor (itself a variant of SparrowDoor), the backdoor is said to have been used by UAT-9244 since at least November 2024.
Establishes persistence on the host with a scheduled task or Registry Run key. It also differs from CrowDoor by using a different set of command codes and embedding a Windows driver to stop, restart, and terminate processes. In addition, it only supports a single command-line switch (“-u”) to remove itself from the host and remove all related artifacts.
Once it’s launched, it checks to make sure it’s included in “msiexec.exe,” after which it records the configuration to extract the command-and-control parameters (C2). Later, it establishes a connection with the C2 server, allowing it to create processes, execute arbitrary commands, read/write files, gather system information, and issue a driver to hide malicious components and control processes.
Further analysis of the UAT-9244 infrastructure led to the discovery of a Linux peer-to-peer (P2P) backdoor called PeerTime, which has been compiled for several architectures (ie, ARM, AARCH, PPC, and MIPS) to infect a variety of embedded systems. The ELF backdoor, as well as the binary instrumentor, is implemented via a shell script.
“The instrumentor ELF binary will check for the presence of Docker on a vulnerable host using docker and docker -q,” said Talos researchers Asheer Malhotra and Brandon White. “When Docker is detected, the PeerTime loader is executed. The instrumenter contains debug strings in Simplified Chinese, indicating that it is a custom binary created and reused by Chinese-speaking threat actors.”
The main goal of the loader is to de-encrypt and de-encrypt the final PeerTime load and do it directly in memory. PeerTime comes in two versions: one version written in C/C++ and a new one programmed in Rust. Besides having the ability to rename itself as a harmless side-detection process, the backdoor uses the BitTorrent protocol to download C2 information, download files from its peers, and use them on the compromised system.
Also staged on the threat actor’s servers is a set of shell scripts and payloads, including a brute-force scanner codenamed BruteEntry that is installed on edge devices to make them proxy nodes for mass scanning within an Operational Relay Box (ORB) capable of forcing Postgres, SSH, and Tomcat servers.
This is accomplished with a shell script that drops two Golang-based components: an orchestrator that delivers a BruteEntry, which then contacts the C2 server to get a list of IP addresses to target in order to perform a brute-force attack. The backdoor finally reports a successful login back to the C2 server.
“‘Success’ indicates whether the brute force was successful (true or false), and ‘notes’ provides specific information on whether the brute force was successful,” Talos said. “If login failed, the note reads ‘All authentications attempted.'”
