Sandman APT Attacks

Due to its vital infrastructure and the enormous quantity of sensitive data it manages, which includes both personal and business communications, the telecommunications sector is aggressively targeted by hackers.

Cyberattacks on telecommunications can lead to:-

  • Service disruptions
  • Data breaches
  • National security risks

In August 2023, SentinelLabs and QGroup GmbH identified an unknown threat cluster targeting telecoms, orchestrated by an unknown actor using the LuaJIT-based backdoor, dubbed ‘Sandman’ and ‘LuaDream.’

Researchers at SentinelLabs reported recently that the Sandman APT group is actively targeting telecom companies to deploy LuaDream malware and steal system information.

Targeted Victims

Security experts noted a clear focus on telecom providers across diverse regions in the activity cluster, as evidenced by C2 netflow data.

Here below, we have mentioned the targeted regions:-

  • Middle East
  • Western Europe
  • South Asian subcontinent
Targeted victims (Source – SentinelLabs)

LuaDream is a multi-component backdoor with multi-protocol capabilities like:-

  • Managing plugins
  • Exfiltrating system data
  • Exfiltrating user data

Technical Analysis

LuaDream’s architecture indicates an actively developed, versioned project with modular, multi-protocol capabilities, which includes:-

  • Stealing data for precise follow-up attacks.
  • Controlling plugins to expand LuaDream’s capabilities.

Accurate clustering is challenging due to sophisticated tactics, suggesting a motivated adversary with likely espionage goals targeting communication providers for sensitive data.

The string artifacts and compilation timestamps of LuaDream point to malware development activities in the first half of 2022, suggesting probable activity beginning in that year.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Experts can’t attribute LuaDream to known actors but lean toward private contractors. LuaJIT’s use in APT malware, historically associated with Western actors, is expanding to a broader threat landscape, as seen with Sandman APT.

Security analysts saw Sandman attack certain workstations during August 2023 using pass-the-hash methods and stolen passwords. Sandman primarily concentrated on deploying LuaDream, with an average of five days elapsing between endpoint intrusions.

Sandman used DLL hijacking with a malicious ualapi.dll, loaded by the Spooler service without restarting it, which is part of the LuaDream loading process.

Here below, we have mentioned the DLL images that are involved in LuaDream staging:-

  • ualapi.dll
  • MemoryLoadPex64.dll
  • common.dll
LuaDream staging (Source – SentinelLabs)

While besides this, the C2 details were included in LuaDream’s config, and it’s been revealed that it communicates via WebSocket protocol with mode.encagil[.]com.

Netflow data analysis shows a lack of C2 infrastructure segmentation, as multiple LuaDream deployments in different regions communicate with the same server.

Moreover, Sandman’s attribution and mysterious actors like Metador remain a mystery. LuaDream exemplifies the ongoing innovation in cyber espionage malware.


IOCs (Source – SentinelLabs)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.