A brand new and mysterious APT group has been noticed concentrating on telco service suppliers in Europe and Asia as a part of what seems to be a cyberespionage marketing campaign, in response to a joint investigation by SentinelLabs and QGroup GmbH.
Based on SentinelLabs researcher Aleksandar Milenkoski, the shadowy APT group is utilizing a complicated modular backdoor based mostly on Lua, the light-weight cross-platform programming language designed primarily for embedded use in functions.
“Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape,” Milenkoski stated, noting that your complete operation is characterised by a cautious and deliberate strategy: minimal and strategic actions inside contaminated networks, and a bigger objective to attenuate detection danger.
The superior risk actor, tagged as Sandman, has been seen concentrating on telecommunications suppliers throughout the Center East, Western Europe and the South Asian subcontinent.
Throughout a presentation on the LABScon safety convention, Milenkoski defined that the group is utilizing a bit of malware known as LuaDream that’s able to exfiltrating system and person info, paving the way in which for added precision assaults.
“The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale,” the SentinelLabs researcher stated, noting that it’s tough to pin down the id of the APT group.
“The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory,” he added.
SentinelLabs has clarified that the LuaDream malware doesn’t backdoor the LuaJIT platform. As an alternative, LuaJIT is utilized by the risk actor as a automobile to deploy backdoors on focused organizations.
Whereas obtainable knowledge factors to a cyberespionage adversary with a robust deal with concentrating on telcos throughout various geographical areas, Milenkoski stated LuaDream can’t be related to any recognized risk actor, suggesting it could be the work of a third-party hacker-for-hire vendor.
SentinelLabs researchers additionally known as consideration to using the Lua programming language, noting that using LuaJIT within the context of APT malware may be very uncommon.
Previously, risk hunters have seen extremely modular, Lua-utilizing malware related to high-end APTs like Flame, Animal Farm and Undertaking Sauron, however the Sandman APT discovery suggests the developmental paradigm has trickled right down to a broader set of actors, SentinelLabs researchers posited on the convention.
Apparently, the LuaDream malware has traits linking it to a different malware pressure named “DreamLand”, as recognized by Kaspersky in March 2023 throughout APT actions towards a authorities entity in Pakistan.
These correlations trace at a potential broader marketing campaign, with Sandman’s actions maybe courting again as early as 2022, Milenkoski stated.
Associated: Researchers Crowdsourcing Effort to ID Metador APT
Associated: ‘Strider’ Espionage Group Targets China, Russia, Europe
Associated: NSA Used Simple Tools to Detect Threat Actors on Hacked Devices
Associated: Experts Find 2007 Variant of Malware Linked to French Intelligence
Creator:
Date: 2023-09-21 16:46:20
