Threat actors, known as 'Sandman,' have recently targeted telecommunication service providers located in the Middle East, Western Europe, and South Asia. Apparently, Sandman has used info-stealing software called 'LuaDream' to conduct its operations.
The threat actors came to light in August 2023 when they were discovered by researchers from SentinelLabs in collaboration with QGroup GmbH. The malware has been named after the internal backdoor name 'DreamLand client.'
To maximize its cyberespionage operations, Sandman maintains a low profile to evade detection, performs lateral movement, and maintains long-term access to compromised networks.
How Does Sandman Operate?
According to SentinelOne, Sandman initially acquires illicit access to a corporate network through stolen administrative credentials. Following this, Sandman uses 'pass-the-hash' exploits to retrieve and reuse NTLM hashes stored in memory to authenticate to remote servers and services.
LuaDream Malware
Sandman has been using a new modular malware called 'LuaDream' in its attacks, utilizing DLL hijacking on targeted systems. The malware derives its name from LuaJIT, a just-in-time compiler for the Lua scripting language.
The malware collects data and manages plugins that extend its functionality, which are received from C2 servers and executed locally on the compromised system.
The staging executed by LuaDream includes a seven-step in-memory process designed to evade detection. It is initiated by either the Windows Fax or Spooler service, which runs the malicious DLL file.
Reports note that the timestamps of DLL files used for hijacking and attacks are evidently close, indicating that the files are customized to execute specific intrusions.
Anti-analysis measures in the staging process include:
- Concealing LuaDream's threads from debuggers.
- Closing files with an invalid handle.
- Detecting Wine-based sandbox environments.
- In-memory mapping to evade EDR API hooks and file-based detections.
- Packing staging code with XOR-based encryption and compression.
LuaDream is composed of 34 components—13 core and 21 support—that use the ffi library and the LuaJIT bytecode in addition to the Windows API.
While support components handle the technical aspects, including providing Lua libs and Windows API definitions, core components manage essential functions such as system and user data collection, plugin control, and C2 communications.
Upon initialization, LuaDream links to a C2 server (via TCP, HTTPS, WebSocket, or QUIC) and transfers gathered data, including malware versions, IP/MAC addresses, OS details, etc.
While some of Sandman's custom malware and C2 server infrastructure have been successfully exposed, its origin remains unknown.
Sandman is now listed among sophisticated attackers targeting telecom companies for espionage using secret backdoors that are difficult to detect.