Cisco Talos has identified a sophisticated cyber-espionage campaign conducted by UAT-7290, a China-nexus Advanced Persistent Threat (APT) group active since at least 2022. The group’s operations primarily target telecommunications infrastructure across South Asia, with recent expansions into Southeastern Europe. UAT-7290’s activities are characterized by strategic reconnaissance, targeted exploitation of edge networking devices, and deployment of custom malware implants designed for persistence, data exfiltration, and operational relay.
Severity: High
Threat Actor Background
UAT-7290 operates as part of a state-linked espionage apparatus aligned with Chinese cyber objectives. The group’s tooling, infrastructure, and victimology closely resemble other known Chinese APTs such as APT10 (MenuPass, Purple Typhoon) and Red Foxtrot (PLA Unit 69010).
Talos assesses with high confidence that UAT-7290 serves a dual function – acting both as an initial access broker for other China-based actors and as an espionage-focused operator.
Targeting And Objectives
- Primary Sector: Telecommunications
- Regions Targeted: South Asia (mainly telecom operators and backbone network providers), expanding into Southeastern Europe
- Objective: Long-term infiltration, data exfiltration, and conversion of compromised devices into Operational Relay Box (ORB) nodes – effectively forming a proxy infrastructure used by multiple threat groups.
Infection Chain And Malware Arsenal
UAT-7290 employs a multi-stage intrusion chain, leveraging Linux-based malware designed for persistence and control.
- Initial Access:
- Uses one-day vulnerabilities in edge networking devices and target-specific SSH brute-force attacks.
- Often relies on public proof-of-concept exploits rather than bespoke 0-days.
- Malware Components:
- RushDrop (ChronosRAT): Initial dropper, establishes infection by unpacking multiple embedded binaries into a hidden folder .pkgdb.
- DriveSwitch: Executes the main payload (SilentRaid) after installation.
- SilentRaid (MystRodX): Core implant providing backdoor access, modular plugins for C2 communication, port forwarding, remote shell, and file management.
- Bulbature: Converts devices into ORB nodes, maintains encoded C2 configuration files in /tmp directories and communicates through self-signed certificates.
MITRE ATT&CK
| Tactic | Technique | ID | Details |
| Reconnaissance | Gather Victim Host Information | T1592 | Conducts extensive technical reconnaissance before intrusions. |
| Resource Development | Develop Capabilities: Malware | T1587.001 | Custom development of RushDrop, DriveSwitch, SilentRaid, and Bulbature. |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploits one-day vulnerabilities in edge networking devices. |
| Initial Access | Brute Force: Password Guessing | T1110.001 | Uses SSH brute force to gain access. |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | Executes commands via busybox or /bin/sh. |
| Persistence | Create or Modify System Process: Unix Service | T1543.003 | Establishes persistence through system-level implants. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Leverages 1-day vulnerabilities to escalate privileges. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Uses UPX compression and encoded configs. |
| Defense Evasion | Virtualization/Sandbox Evasion | T1497.003 | Performs anti-VM and sandbox checks before execution. |
| Credential Access | Unsecured Credentials: /etc/passwd | T1552.001 | Reads /etc/passwd for system reconnaissance and credentials. |
| Discovery | System Information Discovery | T1082 | Executes echo $(whoami) $(uname -nrm) to collect system info. |
| Discovery | System Network Configuration Discovery | T1016 | Executes cat /proc/net/route to obtain network interface info. |
| Command and Control | Application Layer Protocol: Web Traffic | T1071.001 | Communicates with C2 over HTTP/S using encoded configurations. |
| Command and Control | Encrypted Channel: SSL/TLS | T1573.001 | Uses self-signed SSL certificate for secure C2 communications. |
Recommendations
- Apply firmware and OS updates immediately for all edge networking devices (firewalls, load balancers, VPNs, routers).
- Restrict management access to edge devices (routers, firewalls, VPN concentrators) using IP whitelisting or jump hosts.
- Disable unused services and protocols on Linux-based devices (especially SSH, Telnet, HTTP administrative interfaces).
- Enforce multi-factor authentication (MFA) for all SSH and web-based administrative logins.
- Rotate administrator credentials and audit for brute-force SSH attempts from unknown IP addresses.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/53817bf38962e6cc5994b8decb6ea890c620a57b4ab603538abd534b2f1d9b05/iocs
Source:
- https://blog.talosintelligence.com/uat-7290/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.