A beforehand unknown risk actor dubbed ‘Sandman’ targets telecommunication service suppliers within the Center East, Western Europe, and South Asia, utilizing a modular info-stealing malware named ‘LuaDream.’
This malicious exercise was found by SentinelLabs in collaboration with QGroup GmbH in August 2023, who named the risk actor and malware after the backdoor’s inside title of ‘DreamLand shopper.’
The operational type of Sandman is to maintain a low profile to evade detection whereas performing lateral motion and sustaining long-term entry to breached methods to maximise its cyberespionage operations.
A well-liked goal
The Sandman risk actor targets telecommunication service suppliers within the Center East, Western Europe, and South Asia subcontinents.
SentinelOne says the risk actor first features entry to a company community utilizing stolen administrative credentials.
As soon as the community is breached, Sandman has been seen utilizing “pass-the-hash” assaults to authenticate to distant servers and providers by extracting and reusing NTLM hashes saved in reminiscence.
The SentinelLabs report explains that, in a single occasion, all workstations focused by the hackers had been assigned to managerial personnel, indicating the attacker’s curiosity in privileged or confidential info.
Supply: SentinelLabs
LuaDream malware
SandMan has been seen deploying a brand new modular malware named ‘LuaDream’ in assaults utilizing DLL hijacking on focused methods. The malware will get its title from utilizing the LuaJIT just-in-time compiler for the Lua scripting language
The malware is used to gather information and handle plugins that stretch its performance, that are acquired from the command and management server (C2) and executed regionally on the compromised system.
The malware’s improvement seems to be energetic, with a retrieved model string indicating the discharge quantity “12.0.2.5.23.29,” and the analysts have seen indicators of logs and testing capabilities going way back to June 2022.
LuaDream’s staging depends on a complicated seven-step in-memory course of aiming to evade detection, initiated by both the Home windows Fax or Spooler service, which runs the malicious DLL file.
Supply: SentinelLabs
SentinelLabs reviews that the timestamps within the DLL information used for order hijacking are very near the assaults, which could point out they had been custom-created for particular intrusions.
Anti-analysis measures within the staging course of embrace:
- Concealing LuaDream’s threads from debuggers.
- Closing information with an invalid deal with.
- Detecting Wine-based sandbox environments.
- In-memory mapping to dodge EDR API hooks and file-based detections.
- Packing staging code with XOR-based encryption and compression.
LuaDream includes 34 elements, with 13 core and 21 assist elements, which make the most of the LuaJIT bytecode and the Home windows API by way of the ffi library.
Core elements deal with the malware’s major capabilities, like system and person information assortment, plugin management, and C2 communications, whereas assist elements cope with the technical facets, like offering Lua libs and Home windows API definitions.
Upon initialization, LuaDream connects to a C2 server (through TCP, HTTPS, WebSocket, or QUIC) and sends gathered info, together with malware variations, IP/MAC addresses, OS particulars, and so on.
Because of the attackers deploying particular plugins by way of LuaDream in every assault, SentinelLabs would not have an exhaustive listing of all plugins out there.
Nevertheless, the report notes one module named ‘cmd,’ whose title suggests it provides the attackers command execution capabilities on the compromised gadget.
Whereas a few of Sandman’s {custom} malware and a part of its C2 server infrastructure have been uncovered, the risk actor’s origin stays unanswered.
Sandman joins a rising listing of superior attackers concentrating on telecom corporations for espionage, utilizing distinctive stealthy backdoors which might be difficult to detect and cease.
Telecommunication suppliers are a frequent goal for espionage actions as a result of delicate nature of the information they handle.
Earlier this week, we reported on a brand new cluster of exercise tracked as ‘ShroudedSnooper‘ that used two novel backdoors, HTTPSnoop and PipeSnoop, towards telecommunication carriers within the Center East.