Telecommunication service providers in Europe, the Middle East, and South Asia are under attack by a new threat actor, brought to light and dubbed Sandman by SentinelLabs.
The implementation of the malware indicates a well-executed, maintained, and actively developed project of a considerable scale. However, researchers were unable to correlate the campaign to any particular cyber threat actor.
“While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group,” the report suggests.
Sandman uses a novel modular backdoor based on the LuaJIT platform. LuaJIT is a just-in-time (JIT) compiler for the Lua programming language, which is a powerful, dynamic, and lightweight tool. The malicious code was dubbed LuaDream.
“The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection,” researchers write.
The first observed intrusion was interrupted before the spies could deploy any plugins. SentinelLabs, in collaboration with QGroup GmbH, observed Sandman’s activities over several weeks in August 2023. Researchers found 36 distinct LuaDream components. The complexity of the malware points to a highly-motivated and well-resourced adversary.
The discovered backdoor enables hackers to exfiltrate system and user information, paving the way for further precision attack. Those features can be extended by attacker-provided plugins, such as command execution.
“The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory,” the research said.
The communication with control servers and activity revealed that the malware had a pronounced focus on targeting telecommunications providers with a broad geographical distribution, including the Middle East, Western Europe, and the South Asian subcontinent.
“After stealing administrative credentials and conducting reconnaissance, Sandman infiltrated specifically targeted workstations using the pass-the-hash technique over the NTLM authentication protocol. On one of the targets, all of the workstations were assigned to personnel in managerial positions,” researchers write.
The hackers were patient, as they infiltrated into different endpoints with a five-day gap on average, and they did not restart services that were required for the execution of the malware, likely to evade detection.
“Attributing Sandman remains a mystery,” researchers concluded. “LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.”
More from Cybernews:
Subscribe to our newsletter