Mysterious Sandman APT Targets Telecom Sector With Novel Backdoor

The Sandman groups main malware is among the very few that use the Lua scripting language and its just-in-time compiler.

Telecom companies can add one more sophisticated adversary to the already long list of advanced persistent threat (APT) actors they need to protect their data and networks against.
The new threat is Sandman, a group of unknown origin that surfaced mirage-like in August and has been deploying a novel backdoor using LuaJIT, a high-performance, just-in-time compiler for the Lua programming language.
Researchers at SentinelOne are tracking the backdoor as LuaDream after observing it in attacks on telecommunications companies in the Middle East, Western Europe, and South Asia. Their analysis showed the malware is highly modular with an array of functions for stealing system and user information, enabling future attacks, and managing attacker-provided plugins that extend the malwares capabilities.
At this time, there is no reliable sense of attribution, SentinelOne researcher Aleksandar Milenkoski said in a paper he presented at the companys
LABScon
conference this week. Available data points to a cyber-espionage adversary with a strong focus on targeting telecommunication providers across diverse geographical regions.
Telecom companies have long been a popular target for threat actors — especially state-backed ones — because of the opportunities they provide for
spying on people
and conducting broad cyber espionage. Call-data records, mobile subscriber identity data, and metadata from carrier networks can give attackers a way to track individuals and groups of interest very effectively. Many of the groups conducting these attacks have been based in countries like China, Iran, and Turkey.
More recently, the use of phones for two-factor authentication has given attackers looking to break into online accounts
another reason
to go after telecom companies. Some of these attacks have involved breaking into carrier networks to conduct SIM-swapping — porting another persons phone number to an attacker-controlled device — on a mass scale.
Sandmans main malware, LuaDream, contains 34 distinct components and supports multiple protocols for command-and-control (C2), indicating an operation of considerable scale, Milenkoski noted.
Thirteen of the components support core functions such as malware initialization, C2 communications, plugin management, and exfiltration of user and system information. The remaining components perform support functions such as implementing Lua libraries and Windows APIs for LuaDream operations.
One noteworthy aspect of the malware is its use of LuaJIT, Milenkoski noted. LuaJIT is typically something developers use in the context of gaming applications and other specialty applications and use cases. Highly modular, Lua-utilizing malware is a relatively rare sight, with the
Project Sauron
cyber-espionage platform being one of the seldom-seen examples, he said. Its use in APT malware hints at the possibility of a third-party security vendor being involved in the campaign, he also noted.
SentinelOnes analysis showed that once the threat actor gains access to a target network, one big focus is on laying low and being as unobtrusive as possible. The group initially steals administrative credentials and quietly conducts reconnaissance on the compromised network seeking to break into specifically targeted workstations — especially those assigned to individuals in managerial positions. SentinelOne researchers observed the threat actor maintaining a five-day gap on average between endpoint break-ins to minimize detection. The next step typically involves Sandman actors deploying folders and files for loading and executing LuaDream, Milenkoski said.
LuaDreams features suggest it is a variant of another malware tool dubbed DreamLand that researchers at Kaspersky observed earlier this year being used in a campaign targeting a Pakistani government agency. Like LuaDream, the malware that Kaspersky discovered also was highly modular as used Lua in conjunction with the JIT compiler to execute code in a difficult-to-detect manner, Milenkoski said. At the time, Kaspersky described the malware as the first instance of an APT actor using Lua since Project Sauron and another older campaign dubbed
Animal Farm
.

Last News
▸ Eliminate excuses in testing app security. ◂ Discovered: 27/12/2024 Category: security	▸ Protection companies reevaluating strategies post targeted attacks. ◂ Discovered: 27/12/2024 Category: security	▸ VSS Monitoring Introduces Network Packet Broker Platforms. ◂ Discovered: 27/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Mysterious Sandman APT Targets Telecom Sector With Novel Backdoor