In collaboration with QGroup GmbH, SentinelLabs observed over August 2023 a threat activity cluster targeting the telecommunication sector. The activities have been conducted by a threat actor of unknown origin using a novel modular backdoor based on the LuaJIT platform. SentinelLabs dubbed this threat actor and the backdoor Sandman and LuaDream in reference to what we suspect to be the backdoor’s internal name – DreamLand client.
The activities SentinelLabs observed are characterised by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimising the risk of detection.
The implementation and architecture of LuaDream suggest a maintained, versioned project under active development. This is a modular, multi-protocol backdoor whose main functionalities are:
- Exfiltrating system and user information, paving the way for further precision attacks;
- Managing attacker-provided plugins that extend LuaDream’s features.
Although the intrusions were detected and interrupted before the threat actor could deploy plugins, SentinelLabs’ analysis of LuaDream staging samples shared on VirusTotal provided a glimpse into what functionalities the plugins may implement, with command execution capabilities being one example.
The 36 distinct LuaDream components SentinelLabs identified and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory. LuaDream’s implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect.
A penchant for telcos
Based on current visibility, accurate clustering remains a challenge. The focused, strategy-driven activities, and the use of complex malware designed to evade detection point to a motivated and capable adversary. The TTPs, victimology, and the characteristics of the deployed malware indicate that it is highly likely this activity has espionage motivations. Communication providers are frequent targets of espionage activity due to the sensitive data they hold.
The activity cluster SentinelLabs observed and examination of C2 netflow data indicate a pronounced focus on targeting telecommunications providers with a broad geographical distribution, including the Middle East, Western Europe, and the South Asian subcontinent.
Compilation timestamps and a string artefact found within LuaDream hint at potential malware development efforts over the first half of 2022, suggesting possible threat actor activity dating back to 2022.
While SentinelLabs cannot associate LuaDream with any known threat actor, the team does not exclude the possibility of a third-party vendor. Typically used as a scripting middleware in gaming as well as other speciality applications and appliances, the use of LuaJIT in the context of APT malware is rare. Highly modular, Lua-utilising malware is also a relatively rare sight, with the Project Sauron cyber-espionage platform being one of the seldom-seen examples.
Based on the described malware characteristics, SentinelLabs assess that it is highly likely that LuaDream is a variant of a new malware strain dubbed DreamLand by Kaspersky – they observed the malware in March 2023 as part of APT activities targeting a government entity in Pakistan. A LuaDream string artefact, C:\project\tenyears\DreamLandClient\Project\cpp\HttpClientLj\testdll.dll, suggests that the threat actor internally refers to LuaDream as the DreamLand client, which could be the inspiration of Kaspersky’s name for the malware.
- SentinelLabs has observed a new threat activity cluster by an unknown threat actor they have dubbed Sandman.
- Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
- The activities are characterised by strategic lateral movements and minimal engagements, likely to minimise the risk of detection.
- Sandman has deployed a novel modular backdoor utilising the LuaJIT platform, a relatively rare occurrence in the threat landscape. SentinelLabs refer to this malware as LuaDream.
- The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.
- At this time, there is no reliable sense of attribution. Available data points to a cyberespionage adversary with a strong focus on targeting telecommunication providers across diverse geographical regions.
- While LuaDream cannot be associated with any known threat actor, we do not exclude the possibility of a third-party vendor.
Attributing Sandman remains a mystery, placing it in the same enigmatic category as Metador and other elusive threat actors who operate with impunity. LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal.
Navigating the shadows of the threat landscape necessitates consistent cooperation and information sharing within the threat intelligence research community. SentinelLabs remains dedicated to this mission and hopes that this publication will serve as a catalyst for further collaborative efforts. We are grateful for the contributions of Luca Palermo from the SentinelOne EMEA IR TAM team, who assisted with the initial investigations and remediation of the threat.