New Threat Group: Sandman Targets Telecommunication Companies Across the World With Infostealers – Source: heimdalsecurity.com

A previously unknown threat group known as “Sandman” is making its presence felt. The group uses a modular information-stealing malware called “LuaDream” to target telecommunication service providers in the Middle East, Western Europe, and South Asia.

Sandman: How This New Threat Operates

In order to maximize its cyberespionage operations, Sandman adopts a low profile to avoid discovery, performs lateral movement, and keeps long-term access to compromised networks.

The operator targets telecommunication service providers in the Middle East, Western Europe, and South Asia. Cybersecurity researchers say that the threat actor first gains access to a corporate network by using stolen credentials

As reported by BleepingComputer, after gaining access to the network, Sandman has been observed employing “pass-the-hash” exploits to retrieve and reuse NTLM hashes stored in memory to authenticate to remote servers and services.

It was reported that in one instance, all workstations targeted by the threat actors were assigned to managerial personnel, an indication that the attackers’ interest is in privileged or confidential information.

What We Know About LuaDream

A new modular malware called “LuaDream” that SandMan has been observed using in attacks leveraging DLL hijacking on targeted systems. The LuaJIT just-in-time compiler for the Lua scripting language is how the malware derives its name.

The malware executes locally on the compromised system after receiving plugins from the command and control server (C2) to manage and collect data and enhance its capabilities. LuaDream seems to be still under active development, with a retrieved version string indicating the release number “12.0.2.5.23.29” and the analysts have seen signs of logs and functions going as far back as June 2022.

In order to avoid detection, LuaDream’s staging utilises a complex seven-step in-memory process that is started by either the Windows Fax or Spooler service, which runs the malicious DLL file.

Security researchers report that the timestamps in the DLL files used for order hijacking are very close to the attacks, which might indicate they were custom-created for specific intrusions.

Anti-analysis measures in the staging process include:

• Concealing LuaDream’s threads from debuggers.
• Closing files with an invalid handle.
• Detecting Wine-based sandbox environments.
• In-memory mapping to dodge EDR API hooks and file-based detections.
• Packing staging code with XOR-based encryption and compression.

LuaDream is made up of 34 components—13 core and 21 support—that use the ffi library and the LuaJIT bytecode in addition to the Windows API.

While support components take care of the technical parts, including providing Lua libs and Windows API definitions, core components handle the malware’s essential functions, such as system and user data collecting, plugin control, and C2 communications.

Before initialization, LuaDream connects to a C2 server (via TCP, HTTPS, WebSocket, or QUIC) and sends gathered information, including malware versions, IP/MAC addresses, OS details, etc.

The origin of the threat actor is still unknown, despite parts of Sandman’s proprietary malware and a portion of its C2 server architecture having been made public. Sandman is the latest in a long line of sophisticated hackers who use difficult-to-find stealthy backdoors to target telecom corporations for spying.

If you want to keep up to date with everything we post, don’t forget to follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.