Microsoft: Mystery Group Targeting Telcos Linked to Chinese APTs

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft: Mystery Group Targeting Telcos Linked to Chinese APTs


Analysis shows evidence the previously unknown Sandman group shares backdoor malware with various Chinese APT groups.



Common malware has led a group of researchers to link the once mysterious Sandman threat group, known for cyberattacks against telecom service providers across the world, to a growing web of Chinese government-backed advanced persistent threat (APT) groups.
The
threat intelligence assessment
is the result of a collaboration between Microsoft, SentinelLabs, and PwC, and offers just a small glimpse into the general complexity and breadth of the
Chinese APT
threat landscape, according to the researchers.
Sandman was first identified in August, following a series of
cyberattacks on telcos
across the Middle East, Western Europe, and South Asia, which notably used a backdoor called LuaDream based on the Lua programming language, as well as a backdoor called Keyplug, implemented in C++.
However, SentinelOne said its analysts werent able to identity the threat groups origins — until now.
The samples that we analyzed do not share straightforward indicators that would confidently classify them as closely related or originating from the same source, such as use of identical encryption keys or direct overlaps in implementation, the new research found. However, we observed indicators of shared development practices and some overlaps in functionalities and design, suggesting shared functional requirements by the operators. This is not uncommon in the Chinese malware landscape.
The new report says Lua development practices, as well as adoption of the Keyplug backdoor, appear to have been shared with China-based threat actor STORM-08/Red Dev 40, similarly known for targeting telcos in the Middle East and South Asia.
The report added that a Mandiant team first reported the
Keyplug backdoor being used
by the
known Chinese group APT41
back in March 2022. In addition, Microsoft and PwC teams found the Keyplug backdoor was being passed around multiple additional Chinese-based threat groups, the report added.
The latest Keyplug malware gives the group a new advantage, according to the researchers, with new obfuscation tools.
They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG command-and-control (C2) communication, and a higher sense of operational security, such as relying on cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers, according to the report.
Analysis of the C2 setup and both LuaDream and Keyplug malware strains showed overlaps, suggesting shared functional requirements by their operators, the researchers added.
Growing, effective collaboration between an
expanding maze of Chinese APT groups
requires similar knowledge-sharing among the cybersecurity community, the report added.
Its constituent threat actors will almost certainly continue to cooperate and coordinate, exploring new approaches to upgrade the functionality, flexibility, and stealthiness of their malware, the report said. The adoption of the Lua development paradigm is a compelling illustration of this. Navigating the threat landscape calls for continuous collaboration and information sharing within the threat intelligence research community.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft: Mystery Group Targeting Telcos Linked to Chinese APTs