A China-linked cyber threat group identified as UAT-7290 has been reportedly targeting telecommunications organizations in South Asia and Southeastern Europe. These intrusions are espionage-focused, with the group active since at least 2022. Their strategy involves extensive reconnaissance on potential targets prior to launching attacks, which often leads to the deployment of various malware families like RushDrop, DriveSwitch, and SilentRaid, according to a report from Cisco Talos.
Researchers indicate that UAT-7290 not only conducts in-depth espionage operations but also establishes Operational Relay Box (ORB) nodes. This infrastructure is potentially leveraged by other Chinese threat actors, highlighting UAT-7290’s dual role as both an espionage entity and an initial access group.
The group’s methods are quite varied and involve a combination of open-source malware, custom tools, and exploits for newly discovered vulnerabilities in popular networking products. Among their notable malware utilized in these attacks are Windows implants like RedLeaves and ShadowPad, both tied to Chinese cybercriminal factions.
However, UAT-7290 mainly employs a Linux-based malware suite that includes:
- RushDrop: A dropper initiating the infection chain.
- DriveSwitch: A peripheral malware used to execute SilentRaid.
- SilentRaid: A sophisticated C++ implant that offers persistent access to compromised systems, functionalities including remote shell access, port forwarding, and file handling.
Researchers previously noted that SilentRaid may be a variant of ChronosRAT, which is capable of executing various malicious tasks. Additionally, UAT-7290 employs a backdoor known as Bulbature, designed to turn compromised edge devices into ORBs.
The cyber threat group has demonstrated a clear pattern in their attacks, utilizing one-day exploits and specific SSH brute-force attempts to gain access to public-facing devices. They appear to rely on publicly accessible exploit codes rather than developing custom exploits, which underscores their operational tactics.
Overall, UAT-7290’s mining of sensitive data highlights the evolving landscape of cyber espionage and the persistent threats it poses to the telecommunications sector.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.