Threat Actor Known as ‘Sandman’ Targets Telecom Providers on Three Continents
A yet unrecorded threat actor known as Sandman has been identified as the perpetrator behind a series of cyber attacks directed at telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
The incursions are noteworthy for their utilization of a just-in-time (JIT) compiler designed for the Lua programming language, commonly referred to as LuaJIT. This particular compiler serves as a means to distribute a unique implant known as LuaDream.
According to an analysis conducted by security researcher Aleksandar Milenkoski from SentinelOne, in collaboration with QGroup, “The observed activities can be described as strategic lateral movement towards designated workstations, with limited interaction. This indicates a purposeful approach focused on accomplishing predetermined objectives while minimizing the likelihood of being detected.”
“The deployment of LuaDream demonstrates a project of significant magnitude that has been well performed, consistently maintained, and actively developed.”
There is currently no established correlation between the campaign and its tactics and any identifiable threat actor or group. However, the evidence that is currently available suggests that the effort may be linked to a cyber espionage opponent that has shown a particular interest in targeting the telecommunications sector in several regions. The attacks were initially detected within a span of multiple weeks in August of 2023.
According to Milenkoski, “the LuaDream staging chain has been specifically developed to avoid detection and hinder analysis, hence facilitating the direct deployment of malware into the computer’s memory. The implementation and staging process of LuaDream makes use of the LuaJIT platform, which is a just-in-time compiler designed for the Lua scripting language. The main objective of this approach is to enhance the detection complexity of malicious Lua script code.”
The presence of string artifacts within the source code of the implant makes reference to June 3, 2022, suggesting that the preparation efforts have been in progress for a duration exceeding one year.
There is a suspicion that LuaDream may be classified as a variant of a recently identified malware strain known as DreamLand, as mentioned in Kaspersky’s APT trends report for Q1 2023. Kaspersky, a Russian cybersecurity firm, characterizes this malware as utilizing the Lua scripting language alongside its Just-in-Time (JIT) compiler to execute malicious code that possesses a high level of stealthiness.
The utilization of the Lua programming language is rather uncommon within the context of cybersecurity threats. It has been documented in three distinct cases since 2012, namely Flame, Animal Farm (also known as SNOWGLOBE), and Project Sauron.
The precise method of first entry into the system is currently not well understood; nonetheless, it has been noticed that the attacker acquires administrative credentials and does reconnaissance in order to compromise targeted workstations, finally deploying the LuaDream malware.
LuaDream is a modular and multi-protocol backdoor comprising 13 core components and 21 support components. Its primary purpose is to surreptitiously extract system and user information. Additionally, LuaDream facilitates the administration of attacker-supplied plugins, which enhance its functionality, including the execution of commands. Additionally, it incorporates a range of anti-debugging techniques in order to avoid detection and impede analysis.
The process of executing command-and-control (C2) communication involves establishing communication with a domain called “mode.encagil[.]com” through the utilization of the WebSocket protocol. However, it is capable of actively monitoring and accepting incoming connections through the utilization of TCP, HTTPS, and QUIC protocols.
The core modules encompass all the previously described functionalities, whilst the support components enhance the backdoor’s capabilities by enabling it to wait for connections via the Windows HTTP server API and execute instructions.
According to Milenkoski, “LuaDream serves as a noteworthy example of the persistent innovation and progress endeavors undertaken by cyber espionage threat actors in enhancing their constantly changing malware arsenal.”
The disclosure aligns with a concurrent report by SentinelOne, which provided a comprehensive account of persistent and deliberate infiltrations by Chinese threat actors in Africa. These infiltrations specifically targeted the telecommunications, finance, and government sectors within the African region. The report categorized these infiltrations into distinct clusters known as BackdoorDiplomacy, Earth Estries, and Operation Tainted Love.
According to the company’s statement, the objective is to expand its influence across the continent and utilize these offensives as a means to further its soft power agenda.
According to SentinelOne, a hack of a telecommunications company located in North Africa has been detected. The responsible threat actor is believed to be the same one involved in Operation Tainted Love. It is noteworthy that the date of this attack coincided with the organization’s ongoing private negotiations for expanding its regional presence.
According to security researcher Tom Hegel, the activities of the BackdoorDiplomacy APT and the group behind Operation Tainted Love demonstrate a deliberate effort to assist China in shaping policies and narratives that align with its geostrategic ambitions. This aims to establish China as a significant and influential player in Africa’s digital development.
Furthermore, it should be noted that this development occurred shortly after Cisco Talos disclosed the existence of a novel intrusion set named ShroudedSnooper, which specifically targets communications service providers in the Middle East. This intrusion set utilizes a series of covert backdoors referred to as HTTPSnoop and PipeSnoop.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.