Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Info Stealing Malware. Show all posts

Sandman Hackers: Threat Actors use LuaDream Info-stealing Malware


Threat actors, known as 'Sandman,' have recently targeted telecommunication service providers located in the Middle East, Western Europe, and South Asia. Apparently, Sandman has used info-stealing software called 'LuaDream' to conduct its operations. 
 
The threat actors came to light in August 2023 when they were discovered by researchers from SentinelLabs in collaboration with QGroup GmbH. The malware has been named after the internal backdoor name 'DreamLand client.' 
 
To maximize its cyberespionage operations, Sandman maintains a low profile to evade detection, performs lateral movement, and maintains long-term access to compromised networks. 
 

How Does Sandman Operate? 

 
According to SentinelOne, Sandman initially acquires illicit access to a corporate network through stolen administrative credentials. Following this, Sandman uses 'pass-the-hash' exploits to retrieve and reuse NTLM hashes stored in memory to authenticate to remote servers and services. 
 

LuaDream Malware 

 
Sandman has been using a new modular malware called 'LuaDream' in its attacks, utilizing DLL hijacking on targeted systems. The malware derives its name from LuaJIT, a just-in-time compiler for the Lua scripting language. 
 
The malware collects data and manages plugins that extend its functionality, which are received from C2 servers and executed locally on the compromised system. 
 
The staging executed by LuaDream includes a seven-step in-memory process designed to evade detection. It is initiated by either the Windows Fax or Spooler service, which runs the malicious DLL file. 
 
Reports note that the timestamps of DLL files used for hijacking and attacks are evidently close, indicating that the files are customized to execute specific intrusions. 
 

Anti-analysis measures in the staging process include: 

 
- Concealing LuaDream's threads from debuggers. 
- Closing files with an invalid handle. 
- Detecting Wine-based sandbox environments. 
- In-memory mapping to evade EDR API hooks and file-based detections. 
- Packing staging code with XOR-based encryption and compression. 
 
LuaDream is composed of 34 components—13 core and 21 support—that use the ffi library and the LuaJIT bytecode in addition to the Windows API. 
 
While support components handle the technical aspects, including providing Lua libs and Windows API definitions, core components manage essential functions such as system and user data collection, plugin control, and C2 communications. 
 
Upon initialization, LuaDream links to a C2 server (via TCP, HTTPS, WebSocket, or QUIC) and transfers gathered data, including malware versions, IP/MAC addresses, OS details, etc. 
 
While some of Sandman's custom malware and C2 server infrastructure have been successfully exposed, its origin remains unknown. 
 
Sandman is now listed among sophisticated attackers targeting telecom companies for espionage using secret backdoors that are difficult to detect. 
 
 

The Prynt Stealer Malware Includes a Secret Backdoor, Hackers Steal Data from Credentials


Telegram channel used for attacks

Zscaler experts have found a Telegram channel-based backdoor in the info-stealing malware, which lets threat actors steal (secretly) a copy of the information extracted from the targets, it includes a secret backdoor in the code that gets in every variant and derivative copies of these malware strains. 

The backdoor sends copies of victims' stolen data gathered by other hackers to a private telegram chat monitored by the builder's developers. 

The unfortunate surprise isn't a novelty in the cybercrime landscape, earlier other malware were found to have a secret backdoor. 

What is Prynt Stealer?

Prynt Stealer is an info stealer that was found in April, it lets its operators extract credentials from web browsers, FTP/VPN clients, and messaging and gaming apps. 

The malware is based on open-source projects, this includes AsynRAT and StormKitty, and it extracts data stolen from victims via a Telegram channel. 

Prynt Stealer can be purchased in the underground market for $100 for a one-month licence and a lifetime subscription worth $900. 

How does the attack work?

Prynt Stealer has a code that is responsible for sending information to Telegram from StormKitty with a few trivial changes. Experts add that the info stealer avoids using anti-analysis code from either StormKitty or AsyncRAT. 

It makes a thread that activates the function called processChecker to constantly monitor the target's process list for activities like taskmgr, netstat, netmon, and wireshark. 

If any monitored processes are found, it bans the Telegram C2 (Command and Control) communication channels. 

Zscaler report says:

"The fact that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel implies that this backdoor channel was deliberately planted by the author. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving all of the data that is stolen." 

Leaked copies used for attack

"Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation.”

The experts also noticed leaked/cracked copies of Prynt Stealer that contained the same backdoor, which suggests that the malware author was able to get stolen data from these copies. 

Experts also found two more versions of the info-stealing malware named WorldWind and DarkEye that were written by the same author. 

What is DarkEye?

The experts observed that DarkEye is not mentioned or sold openly, but it is wrapped as a backdoor with a "free" Prynt Stealer builder. Threat actors use the backdoor with LodaRat and DarkEye stealer. 

The report concludes: 

"the free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors. As a result, there have been many new malware families created over the years that are based on popular open-source malware projects like NjRat, AsyncRAT, and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware.”