A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe.
Tracked internally by Cisco Talos as UAT-7290, the actor shows strong China nexus indicators and typically focuses on telcos in South Asia in cyber-espionage operations.
Active since at least 2022, the UAT-7290 group also serves as an initial access group by establishing an Operational Relay Box (ORB) infrastructure during the attacks, which is then utilized by other China-aligned threat actors.
According to the researchers, the hackers conduct extensive reconnaissance before a breach and deploy a mix of custom and open-source malware and public exploits for known flaws in edge network devices.
"UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems," Cisco Talos says in a report today.
UAT-7290 arsenal
UAT-7290 primarily uses a Linux-based malware suite, with occasional deployments of Windows implants such as RedLeaves and ShadowPad, which are widely shared among multiple China-nexus actors.
Cisco highlights the following Linux malware families, linking them to UAT-7290:
RushDrop (ChronosRAT) – Initial dropper that begins the infection chain. Performs basic anti-VM checks, creates or verifies a hidden .pkgdb directory, and decodes three binaries embedded inside: daytime (DriveSwitch executor), chargen (the SilentRaid implant), and busybox, a legitimate Linux utility abused for command execution.
DriveSwitch – Peripheral component dropped by RushDrop with the primary function to execute the SilentRaid implant on the compromised system.
... continue reading