Mysterious 'Sandman' APT Targets Telecom Sector With Novel Backdoor

Telecom companies can add one more sophisticated adversary to the already long list of advanced persistent threat (APT) actors they need to protect their data and networks against.

The new threat is "Sandman," a group of unknown origin that surfaced mirage-like in August and has been deploying a novel backdoor using LuaJIT, a high-performance, just-in-time compiler for the Lua programming language.

Researchers at SentinelOne are tracking the backdoor as "LuaDream" after observing it in attacks on telecommunications companies in the Middle East, Western Europe, and South Asia. Their analysis showed the malware is highly modular with an array of functions for stealing system and user information, enabling future attacks, and managing attacker-provided plugins that extend the malware's capabilities.

"At this time, there is no reliable sense of attribution," SentinelOne researcher Aleksandar Milenkoski said in a paper he presented at the company's LABScon conference this week. "Available data points to a cyber-espionage adversary with a strong focus on targeting telecommunication providers across diverse geographical regions."

A Popular Target

Telecom companies have long been a popular target for threat actors — especially state-backed ones — because of the opportunities they provide for spying on people and conducting broad cyber espionage. Call-data records, mobile subscriber identity data, and metadata from carrier networks can give attackers a way to track individuals and groups of interest very effectively. Many of the groups conducting these attacks have been based in countries like China, Iran, and Turkey.

More recently, the use of phones for two-factor authentication has given attackers looking to break into online accounts another reason to go after telecom companies. Some of these attacks have involved breaking into carrier networks to conduct SIM-swapping — porting another person's phone number to an attacker-controlled device — on a mass scale.

Sandman's main malware, LuaDream, contains 34 distinct components and supports multiple protocols for command-and-control (C2), indicating an operation of considerable scale, Milenkoski noted.

A Curious Choice

Thirteen of the components support core functions such as malware initialization, C2 communications, plugin management, and exfiltration of user and system information. The remaining components perform support functions such as implementing Lua libraries and Windows APIs for LuaDream operations.

One noteworthy aspect of the malware is its use of LuaJIT, Milenkoski noted. LuaJIT is typically something developers use in the context of gaming applications and other specialty applications and use cases. "Highly modular, Lua-utilizing malware is a relatively rare sight, with the Project Sauron cyber-espionage platform being one of the seldom-seen examples," he said. Its use in APT malware hints at the possibility of a third-party security vendor being involved in the campaign, he also noted.

SentinelOne's analysis showed that once the threat actor gains access to a target network, one big focus is on laying low and being as unobtrusive as possible. The group initially steals administrative credentials and quietly conducts reconnaissance on the compromised network seeking to break into specifically targeted workstations — especially those assigned to individuals in managerial positions. SentinelOne researchers observed the threat actor maintaining a five-day gap on average between endpoint break-ins to minimize detection. The next step typically involves Sandman actors deploying folders and files for loading and executing LuaDream, Milenkoski said.

LuaDream's features suggest it is a variant of another malware tool dubbed DreamLand that researchers at Kaspersky observed earlier this year being used in a campaign targeting a Pakistani government agency. Like LuaDream, the malware that Kaspersky discovered also was highly modular as used Lua in conjunction with the JIT compiler to execute code in a difficult-to-detect manner, Milenkoski said. At the time, Kaspersky described the malware as the first instance of an APT actor using Lua since Project Sauron and another older campaign dubbed Animal Farm.