Researchers have spotted a new APT threat actor group called Sandman, that surfaced mirage-like in August and has been deploying a novel backdoor using LuaJIT, a high-performance, just-in-time compiler for the Lua programming language.
SentinelOne researchers were tracking the backdoor as “LuaDream” after observing it in attacks on telecommunications companies across the geographical locations such as the Middle East, Western Europe, and South Asia. Their analysis showed the malware is highly modular with an array of functions for stealing system and user information, enabling future attacks, and managing attacker-provided plugins that extend the malware’s capabilities.
Telecom companies have long been a popular target for threat actors especially state-backed ones —because they provide ways for spying on people and conducting broad cyber espionage. Call-data records, mobile subscriber identity data, and metadata from carrier networks can give attackers a way to track individuals and groups of interest very effectively.
Sandman’s main malware, LuaDream, contains 34 distinct components and supports multiple protocols for C2, indicating an operation of considerable scale, Thirteen of the components support core functions such as malware initialization, C2 communications, plugin management, and exfiltration of user and system information. The remaining components perform support functions such as implementing Lua libraries and Windows APIs for LuaDream operations.
LuaJIT is typically use in the context of gaming applications and other specialty applications and use cases. Its use in APT malware hints at the possibility of a third-party security vendor being involved in the campaign.
Once the threat actor gains access to a target network, the group initially steals administrative credentials and quietly conducts reconnaissance on the compromised network seeking to break into specifically targeted workstations — especially those assigned to individuals in managerial positions. The next step typically involves Sandman actors deploying folders and files for loading and executing LuaDream,
LuaDream’s features suggest it is a variant of another malware tool dubbed DreamLand that was observed earlier this year being used in a campaign targeting a Pakistani government agency. Like LuaDream, the malware was highly modular as used Lua in conjunction with the JIT compiler to execute code in a difficult-to-detect manner. At the time, Kaspersky described the malware as the first instance of an APT actor using Lua since Project Sauron and another older campaign dubbed Animal Farm.