U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Sandman APT targets telcos with LuaDream backdoor

A previously undocumented APT dubbed Sandman targets telecommunication service providers in the Middle East, Western Europe, and South Asia. A joint research conducted by SentinelLabs and QGroup GmbH revealed that a previously undetected APT group, dubbed Sandman, is targeting telecommunication service providers in the Middle East, Western Europe, and South Asia. The APT group is […]

Sandman LuaDream

LuaDream core components (SentinelOne report)

A previously undocumented APT dubbed Sandman targets telecommunication service providers in the Middle East, Western Europe, and South Asia.

A joint research conducted by SentinelLabs and QGroup GmbH revealed that a previously undetected APT group, dubbed Sandman, is targeting telecommunication service providers in the Middle East, Western Europe, and South Asia.

The APT group is using a modular backdoor, named LuaDream, written in the Lua programming language. LuaDream allows operators to exfiltrate system and user information, paving the way for further targeted attacks.

Sandman LuaDream
LuaDream core components (SentinelOne report)

Sandman has deployed the backdoor utilizing the LuaJIT platform, which is rarely used in the threat landscape. SentinelLabs clarified that LuaJIT is used by the attackers as an attack vector and is used to install additional malware in the target infrastructure.

The attacks are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.

Threat actors can extend LuaDream’s features by using specific plugins.

The researchers explained that the attacks were detected and interrupted before the deployment of the plugins, however, the analysis of samples of LuaDream previously uploaded on VirusTotal allowed them the analysis of functionalities the plugins. Some of the plugins support command execution capabilities.

The researchers identified a total of 36 distinct LuaDream components, suggesting that we are facing a large-scale project that requires significant effort. The malware supports multiple communication protocols for C2 (Command and Control) operations.

“LuaDream’s staging chain is purposefully crafted to avoid detection and hinder analysis, seamlessly injecting the malware into memory. To achieve this, LuaDream takes advantage of the LuaJIT platform, a just-in-time compiler for the Lua scripting language.” continues the report. “This strategic choice enhances the stealth of malicious Lua script code, making it challenging to detect.”

Sandman is suspected to be a motivated and capable threat actor that carries out cyber espionage activities.

The analysis of compilation timestamps and a string artifact found within LuaDream suggests that the malware dates back to the first half of 2022. The researchers were not able to link LuaDream to any known threat actor, the researchers speculate the threat actor is a private contractor or mercenary group. 

“Attributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive threat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sandman APT)