Exploring the Elusive Sandman: Uncovering a New APT Group Targeting Telcos with LuaJIT Malware

Cyberwarfare New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

Introduction

A new and mysterious Advanced Persistent Threat (APT) group known as Sandman has recently been identified as targeting telecommunication service providers in Europe and Asia. A joint investigation by SentinelLabs and QGroup GmbH has shed some light on this cyberespionage campaign, revealing the use of a sophisticated modular backdoor based on the Lua programming language.

The Sandman APT Group

The Sandman APT group has taken a cautious and deliberate approach in their operations, minimizing movements within infected networks in order to reduce the risk of detection. They have primarily targeted telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent. The group has deployed a modular backdoor called LuaDream, which is capable of exfiltrating system and user information, enabling them to conduct precision attacks.

Use of LuaJIT

The Sandman APT group’s use of LuaJIT, a just-in-time compiler for the Lua programming language, is a rare occurrence in the threat landscape. LuaJIT is being used as a vehicle to deploy backdoors on targeted organizations, and the implementation of LuaDream indicates that the APT group has executed a well-maintained and actively developed project of considerable scale. The fact that the LuaDream staging chain is designed to evade detection and analysis by deploying malware directly into memory demonstrates the group’s sophistication.

Third-Party Hacker-for-Hire?

Despite extensive research, the identity of the Sandman APT group remains unknown. The lack of association with any known threat actor suggests that they may be a third-party hacker-for-hire vendor. Additionally, the use of Lua programming language in APT malware is very rare, with previous instances being associated with high-end APTs like Flame, Animal Farm, and Project Sauron. The discovery of the Sandman APT group indicates that this developmental paradigm has now extended to a broader set of actors.

Possible Broader Campaign

Researchers have found correlations between the LuaDream malware used by Sandman and another malware strain named “DreamLand.” This discovery suggests the possibility of a broader campaign, with Sandman‘s activities potentially dating back to 2022. These connections were identified by Kaspersky during APT activities against a government entity in Pakistan. Further research is needed to uncover the full extent of Sandman‘s operations and any potential connections to other threat actors or campaigns.

Conclusion

The discovery of the Sandman APT group highlights the ongoing threat that cyberespionage poses to telecommunications service providers. The group’s use of the Lua programming language and LuaJIT as a vehicle for deploying backdoors demonstrates their sophistication and adaptability. It is crucial for organizations in the telecommunications industry to enhance their cybersecurity measures and remain vigilant against these advanced threats. Collaborative efforts between security researchers and organizations are key to identifying and mitigating the risks posed by APT groups like Sandman.