CarderPlanet
Professional
Researchers at SentinelLabs and QGroup GmbH tracked a new mysterious APT Sandman targeting communications service providers in Europe and Asia as part of a cyber espionage campaign.
APT is armed with a modular malware called LuaDream on the LuaJIT platform, which is relatively rare in the threat landscape. Malware can steal system and user information, opening the way for additional precision attacks.
Sandman's malicious activity was detected in August 2023 and is characterized by a careful and thoughtful approach: minimal and strategic movements within infected networks and maximum reduction of the risk of detection in order to preserve long-term access to compromised systems.
According to SentinelOne, an attacker gains access to the corporate network using stolen administrative credentials.
After hacking the network, Sandman used pass-the-hash attacks to authenticate against remote servers and services by extracting and reusing NTLM hashes stored in memory.
In one of the investigated situations, all workstations controlled by hackers belonged to a management level, which indicates an attacker's interest in obtaining secret or confidential information.
For this purpose, SandMan uses LuaDream for attacks using DLL interception on target systems.*The malware got its name from the use of the LuaJIT JIT compiler for the Lua scripting language.
The malware is used to collect data and manage plugins that extend its functionality, which are obtained from C2 and run locally on the compromised system.
Malware development appears to be active until now: the resulting version string indicates the release number "12.0.2.5.23.29", and the initial entries in the test logs date back to June 2022.
LuaDream is based on a seven-step in-memory process that implements detection evasion, initiated either by the Windows Fax service or by Spooler, which runs a malicious DLL file.
LuaDream consists of 34 components, 13 main and 21 auxiliary components that use the LuaJIT bytecode and the Windows API via the ffi library.
Core components perform basic malware functions such as collecting system and user data, managing plugins, and communicating with C2, while support components provide a technical block (providing Lua libraries and Windows API definitions).
After initialization, LuaDream connects to the C2 server (via TCP, HTTPS, WebSocket, or QUIC) and sends the collected information, including malware versions, IP/MAC addresses, OS information, and so on.
Since attackers deploy specific plugins via LuaDream for each attack, SentinelLabs does not have an exhaustive list of all available plugins.
Despite the fact that some special Sandman malware and part of the C2 infrastructure have been exposed, the origin of the attacker remains unclear.
APT is armed with a modular malware called LuaDream on the LuaJIT platform, which is relatively rare in the threat landscape. Malware can steal system and user information, opening the way for additional precision attacks.
Sandman's malicious activity was detected in August 2023 and is characterized by a careful and thoughtful approach: minimal and strategic movements within infected networks and maximum reduction of the risk of detection in order to preserve long-term access to compromised systems.
According to SentinelOne, an attacker gains access to the corporate network using stolen administrative credentials.
After hacking the network, Sandman used pass-the-hash attacks to authenticate against remote servers and services by extracting and reusing NTLM hashes stored in memory.
In one of the investigated situations, all workstations controlled by hackers belonged to a management level, which indicates an attacker's interest in obtaining secret or confidential information.
For this purpose, SandMan uses LuaDream for attacks using DLL interception on target systems.*The malware got its name from the use of the LuaJIT JIT compiler for the Lua scripting language.
The malware is used to collect data and manage plugins that extend its functionality, which are obtained from C2 and run locally on the compromised system.
Malware development appears to be active until now: the resulting version string indicates the release number "12.0.2.5.23.29", and the initial entries in the test logs date back to June 2022.
LuaDream is based on a seven-step in-memory process that implements detection evasion, initiated either by the Windows Fax service or by Spooler, which runs a malicious DLL file.
LuaDream consists of 34 components, 13 main and 21 auxiliary components that use the LuaJIT bytecode and the Windows API via the ffi library.
Core components perform basic malware functions such as collecting system and user data, managing plugins, and communicating with C2, while support components provide a technical block (providing Lua libraries and Windows API definitions).
After initialization, LuaDream connects to the C2 server (via TCP, HTTPS, WebSocket, or QUIC) and sends the collected information, including malware versions, IP/MAC addresses, OS information, and so on.
Since attackers deploy specific plugins via LuaDream for each attack, SentinelLabs does not have an exhaustive list of all available plugins.
Despite the fact that some special Sandman malware and part of the C2 infrastructure have been exposed, the origin of the attacker remains unclear.
