Sandman APT Brings LuaDream, Targets Telcos in Middle East | Cyware Hacker News

Researchers at SentinelOne have noticed a potential cyberespionage group, whose origins are unclear (as of now), and employed modular backdoors and covert techniques to target telecommunication firms in the Middle East, Western Europe, and South Asia. 

This group, labeled Sandman APT, utilizes a new backdoor named LuaJIT, which is a just-in-time compiler for the Lua programming language, making it hard to identify malicious Lua scripts.

Diving into details

Sandman predominantly targets telecommunication operators in the Middle East, Western Europe, and South Asia. 
  • The APT group has introduced a unique modular backdoor, termed LuaDream, that leverages the LuaJIT platform.
  • LuaDream introduces a malicious ualapi.dll file onto compromised systems via the Fax and Windows Spooler services. 
  • Instead of immediate execution, which could lead to detection, it waits for a system reboot by the user. 
  • Conducted in August, the Sandman campaign leveraged DLL hijacking to disguise this malicious file as a legitimate one with an identical name. 
  • Additionally, threat actors exploited the “pass the hash” method over the NTLM authentication protocol to target specific machines on the same network.

Why this matters

  • The researchers observed activities characterized by strategic lateral movement to particular workstations and minimal interaction. This suggests a meticulous strategy focused on achieving desired outcomes while limiting detection chances.
  • LuaDream’s design and deployment indicate it’s an ongoing project with version control. 
  • This modular, multi-protocol backdoor can harvest system and user details, priming for subsequent targeted strikes and managing plugins introduced by attackers to amplify its features.

Middle East suffers another cyberespionage campaign

A new backdoor malware called Deadglyph has been discovered targeting a government agency in the Middle East.
  • It is believed to be used by the hacking group Stealth Falcon, known for targeting activists and journalists.
  • The malware, which is modular in nature, boasts anti-evasion mechanisms and a self-removal mechanism if communications with the C2 server fail.

The bottom line

LuaDream serves as a powerful testament to the relentless drive and ingenuity of cyberespionage actors in constantly updating and refining their malware toolkit. To mitigate the impact of such campaigns, organizations should consider regular system patching, adopting advanced threat detection solutions, and providing cybersecurity training to staff, especially on recognizing and responding to potential threats. 

Additionally, with the Middle East once again under cyberespionage scrutiny, as evident with the recent discovery of Deadglyph malware, vigilance, and proactive defense mechanisms are more critical than ever.