Mysterious ‘Sandman’ APT Targets Telecom Sector With Novel Backdoor

Telecom corporations can add yet one more subtle adversary to the already lengthy listing of superior persistent risk (APT) actors they should defend their knowledge and networks in opposition to.

The brand new risk is “Sandman,” a bunch of unknown origin that surfaced mirage-like in August and has been deploying a novel backdoor utilizing LuaJIT, a high-performance, just-in-time compiler for the Lua programming language.

Researchers at SentinelOne are monitoring the backdoor as “LuaDream” after observing it in assaults on telecommunications corporations within the Center East, Western Europe, and South Asia. Their evaluation confirmed the malware is extremely modular with an array of features for stealing system and consumer info, enabling future assaults, and managing attacker-provided plugins that stretch the malware’s capabilities.

“At this time, there is no reliable sense of attribution,” SentinelOne researcher Aleksandar Milenkoski stated in a paper he introduced on the firm’s LABScon convention this week. “Available data points to a cyber-espionage adversary with a strong focus on targeting telecommunication providers across diverse geographical regions.”

A In style Goal

Telecom corporations have lengthy been a preferred goal for risk actors — particularly state-backed ones — due to the alternatives they supply for spying on people and conducting broad cyber espionage. Name-data information, cell subscriber identification knowledge, and metadata from service networks may give attackers a strategy to monitor people and teams of curiosity very successfully. Most of the teams conducting these assaults have been primarily based in nations like China, Iran, and Turkey.

Extra not too long ago, the usage of telephones for two-factor authentication has given attackers trying to break into on-line accounts another reason to go after telecom corporations. A few of these assaults have concerned breaking into service networks to conduct SIM-swapping — porting one other individual’s telephone quantity to an attacker-controlled system — on a mass scale.

Sandman’s major malware, LuaDream, comprises 34 distinct elements and helps a number of protocols for command-and-control (C2), indicating an operation of appreciable scale, Milenkoski famous.

A Curious Alternative

13 of the elements assist core features similar to malware initialization, C2 communications, plugin administration, and exfiltration of consumer and system info. The remaining elements carry out assist features similar to implementing Lua libraries and Home windows APIs for LuaDream operations.

One noteworthy facet of the malware is its use of LuaJIT, Milenkoski famous. LuaJIT is often one thing builders use within the context of gaming purposes and different specialty purposes and use circumstances. “Extremely modular, Lua-utilizing malware is a comparatively uncommon sight, with the Project Sauron cyber-espionage platform being one of many seldom-seen examples,” he stated. Its use in APT malware hints at the potential for a third-party safety vendor being concerned within the marketing campaign, he additionally famous.

SentinelOne’s evaluation confirmed that after the risk actor positive factors entry to a goal community, one huge focus is on laying low and being as unobtrusive as potential. The group initially steals administrative credentials and quietly conducts reconnaissance on the compromised community in search of to interrupt into particularly focused workstations — particularly these assigned to people in managerial positions. SentinelOne researchers noticed the risk actor sustaining a five-day hole on common between endpoint break-ins to reduce detection. The subsequent step sometimes includes Sandman actors deploying folders and recordsdata for loading and executing LuaDream, Milenkoski stated.

LuaDream’s options counsel it’s a variant of one other malware instrument dubbed DreamLand that researchers at Kaspersky noticed earlier this yr being utilized in a marketing campaign focusing on a Pakistani authorities company. Like LuaDream, the malware that Kaspersky found additionally was extremely modular as used Lua along side the JIT compiler to execute code in a difficult-to-detect method, Milenkoski stated. On the time, Kaspersky described the malware as the primary occasion of an APT actor utilizing Lua since Challenge Sauron and one other older marketing campaign dubbed Animal Farm.