Researchers at Cisco Talos have recently been tracking a sophisticated threat actor, known as UAT-7290, operating as a prominent member of the China-nexus APT landscape. Active since at least 2022, UAT-7290 demonstrates a significant capacity for conducting deep-seated espionage while simultaneously functioning as an initial access group for broader malicious operations.

Targeting and Dual Role

UAT-7290’s primary targeting focus has been the telecommunications providers in South Asia. But recent intelligence indicates a notable expansion of their targeting scope into Southeastern Europe. An interesting finding of Talos’s assessment is UAT-7290's dual operational role:

  • Espionage: The actor executes typical espionage-focused attacks, burrowing deep within a victim enterprise’s network infrastructure to maintain covert persistence and exfiltrate data.
  • Initial Access Group:: Their Tactics, Techniques, and Procedures (TTPs) and tooling suggest the establishment of Operational Relay Box (ORB) nodes. This ORB infrastructure appears to be leveraged by other China-nexus actors for their own operations, positioning UAT-7290 as a key initial access broker within this ecosystem.

Initial Access and TTPs

Talos’s findings suggest the threat actor is highly methodical, conducting deep reconnaissance of target organizations before initiating an intrusion. For initial access and privilege escalation on public-facing edge devices, UAT-7290 primarily relies on payloads for recently patched, high-profile vulnerabilities in popular edge devices. The actor appears to rely on publicly available proof-of-concept exploit code rather than developing their own, which isn’t unusual, even for well-resourced adversaries.The group also uses tailored brute force attacks against SSH to compromise public-facing edge devices.

UAT-7290 shares common TTPs with other known China-nexus adversaries, including:

  • Exploitation of high-profile vulnerabilities in networking devices.
  • Use of open-source web shells for persistence.
  • Leveraging UDP listeners.
  • Using compromised infrastructure to facilitate operations.

Expansive Tooling and Malware Suite

UAT-7290 possesses an expansive arsenal of tooling, which includes a mix of open-source malware, custom-developed malware, and bespoke implants. While the actor primarily leverages a Linux-based suite, they are also known to utilize Windows-based custom implants. Among the Linux malware the group uses are a malware dropper called RushDrop; DriveSwitch, which is used to execute other implants; and SilentRaid, the main malware implant, which is the persistence mechanism.

The UAT-7290 actors sometimes also use Windows-based implants commonly linked to the China APT ecosystem, including RedLeaves and Shadowpad.

Attribution Overlap

China has no shortage of state-backed threat groups, many of which share tooling and infrastructure, and often target similar organizations. UAT-7290’s intrusions have a lot in common with several other Chinese threat groups, most notably:

  • APT10/MenuPass: Technical indicators, specifically the use of the RedLeaves malware family, overlap with known activities of APT10 
  • ShadowPad Infrastructure: Infrastructure associated with the widely used ShadowPad implant, deployed by a variety of China-nexus adversaries, has also been seen
  • Red Foxtrot: UAT-7290 has a lot of targeting and tooling in common with Red Foxtrot

“​​UAT-7290 shares overlapping TTPs with known China-nexus adversaries, including the exploitation of high-profile vulnerabilities in networking devices, use of open-source web shells for persistence, leveraging UDP listeners, and using compromised infrastructure to facilitate operations,” the Talos analysis says.

  • Recent Posts

  • Recent Comments

    No comments to show.