A new and mysterious APT group has been spotted targeting telco service providers in Europe and Asia as part of what appears to be a cyberespionage campaign, according to a joint investigation by SentinelLabs and QGroup GmbH.
According to SentinelLabs researcher Aleksandar Milenkoski, the shadowy APT group is using a sophisticated modular backdoor based on Lua, the lightweight cross-platform programming language designed primarily for embedded use in applications.
“Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape,” Milenkoski said, noting that the entire operation is characterized by a cautious and deliberate approach: minimal and strategic movements within infected networks, and a larger goal to minimize detection risk.
The advanced threat actor, tagged as Sandman, has been seen targeting telecommunications providers across the Middle East, Western Europe and the South Asian subcontinent.
During a presentation at the LABScon security conference, Milenkoski explained that the group is using a piece of malware called LuaDream that is capable of exfiltrating system and user information, paving the way for additional precision attacks.
“The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale,” the SentinelLabs researcher said, noting that it is difficult to pin down the identity of the APT group.
“The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory,” he added.
SentinelLabs has clarified that the LuaDream malware does not backdoor the LuaJIT platform. Instead, LuaJIT is used by the threat actor as a vehicle to deploy backdoors on targeted organizations.
While available data points to a cyberespionage adversary with a strong focus on targeting telcos across diverse geographical regions, Milenkoski said LuaDream cannot be associated with any known threat actor, suggesting it may be the work of a third-party hacker-for-hire vendor.
SentinelLabs researchers also called attention to the use of the Lua programming language, noting that the use of LuaJIT in the context of APT malware is very rare.
In the past, threat hunters have seen highly modular, Lua-utilizing malware associated with high-end APTs like Flame, Animal Farm and Project Sauron, but the Sandman APT discovery suggests the developmental paradigm has trickled down to a broader set of actors, SentinelLabs researchers posited at the conference.
Interestingly, the LuaDream malware has traits linking it to another malware strain named “DreamLand”, as identified by Kaspersky in March 2023 during APT activities against a government entity in Pakistan.
These correlations hint at a possible broader campaign, with Sandman’s activities perhaps dating back as early as 2022, Milenkoski said.