China-Linked Hackers Breach Telcos via Edge Devices
▼ Summary
– A threat actor tracked as UAT-7290, with strong links to China, has expanded its cyber-espionage operations from South Asian telecoms to include targets in Southeastern Europe.
– This group, active since at least 2022, acts as an initial access provider by establishing an Operational Relay Box (ORB) infrastructure for other China-aligned threat actors.
– UAT-7290 conducts extensive reconnaissance and uses a mix of custom malware, public exploits, and SSH brute force attacks to compromise public-facing network devices.
– Its primary arsenal is a Linux-based malware suite, including implants like RushDrop, DriveSwitch, SilentRaid, and Bulbature, which is used to create ORBs.
– The group also occasionally deploys Windows malware like RedLeaves and ShadowPad, and its tools share infrastructure with other known China-nexus malware families.
A sophisticated cyber espionage group with strong links to China has expanded its geographic targeting, now breaching telecommunications providers in Southeastern Europe after previously focusing on South Asia. This threat actor, identified by researchers as UAT-7290, has been active since at least 2022 and functions as an initial access broker for other China-aligned hacking groups. Their primary method involves compromising public-facing edge devices, which are critical network infrastructure components, to establish a foothold within an organization’s systems.
The group conducts thorough reconnaissance before launching attacks. They employ a combination of custom-built malware, publicly available exploits, and open-source tools to infiltrate their targets. Initial access is often gained by exploiting known vulnerabilities in edge devices or through targeted SSH brute-force attacks. Once inside, the hackers escalate their privileges and deploy a suite of malicious software designed for persistence and data theft.
UAT-7290’s toolkit is notably versatile, operating across both Linux and Windows environments. While their operations heavily rely on a custom Linux malware suite, they have also been observed using Windows implants like RedLeaves and ShadowPad. These Windows tools are commonly shared among various threat actors connected to China.
The Linux-based components form a multi-stage infection chain. The process typically begins with RushDrop, also known as ChronosRAT, which acts as an initial dropper. This malware performs basic checks to avoid virtual machine analysis, sets up a hidden directory, and decodes several embedded binaries. These include a tool called DriveSwitch, which functions as an executor, and the main persistent backdoor known as SilentRaid.
SilentRaid, or MystRodX, is the core implant written in C++. It features a modular, plugin-based architecture that provides attackers with extensive control over a compromised system. Capabilities include remote shell access, port forwarding, file manipulation, and the ability to collect sensitive system information such as credential data from `/etc/passwd` and X.509 certificate details.
Another critical component is Bulbature, a Linux implant used to convert hacked devices into Operational Relay Boxes (ORBs). These ORBs create a covert proxy infrastructure that other threat actors can leverage for their own attacks, masking their true origin. Bulbature listens on network ports, can open reverse shells, and uses a self-signed TLS certificate for command-and-control communication.
Notably, the specific TLS certificate associated with Bulbature has been found on over 140 hosts based in China and Hong Kong. These same IP addresses have been linked to other notorious malware families, including SuperShell, GobRAT, and Cobalt Strike beacons, reinforcing the connection to a broader ecosystem of China-nexus cyber activity. Security teams are advised to monitor for the technical indicators of compromise associated with these tools to defend against this evolving threat.
(Source: Bleeping Computer)
