Previously unknown hackers have developed a stealthy infostiler that gives you complete freedom of action.
A new hacker group, Sandman, attacks telecommunications providers in the Middle East, Western Europe, and South Asia, using modular information-stealing malware called LuaDream.
Malicious activity of Sandman was discovered by SentinelLabs specialists in cooperation with QGroup GmbH in August 2023. Experts named the subject of the threat and malware based on the internal name "DreamLand Client" (DreamLand Client).
Geography of Sandman attacks
Sandman tries to stay low-profile to avoid detection by performing Lateral Movement and maintaining long-term access to target systems to maximize its cyber-espionage operations.
SentinelOne reports that Sandman first gains access to the corporate network using stolen administrator credentials. After hacking the network, Sandman uses Pass-the-Hash attacks to authenticate to remote servers.
According to SentinelLabs, all the workstations targeted by the hackers were owned by senior staff, which indicates that the attackers are interested in privileged or confidential information. According to experts, software development is active, and analysts have seen signs of testing dating back to June 2022.
LuaDream is a modular malware for cyber espionage operations. Here are some of its key features and features:
Such capabilities make LuaDream a powerful tool for cyber espionage, allowing attackers to adapt to different situations and efficiently collect valuable information. Despite the fact that some of the Sandman malware and its infrastructure have been exposed, the origin of the group remains unknown.
Earlier, we wrote that two new types of malware, HTTPSnoop and PipeSnoop, were used in cyber attacks on telecommunications companies in the Middle East. According to a report from Cisco Talos, the malware belongs to the same threat actor, named ShroudedSnooper, and serves different operational purposes.
A new hacker group, Sandman, attacks telecommunications providers in the Middle East, Western Europe, and South Asia, using modular information-stealing malware called LuaDream.
Malicious activity of Sandman was discovered by SentinelLabs specialists in cooperation with QGroup GmbH in August 2023. Experts named the subject of the threat and malware based on the internal name "DreamLand Client" (DreamLand Client).
Geography of Sandman attacks
Sandman tries to stay low-profile to avoid detection by performing Lateral Movement and maintaining long-term access to target systems to maximize its cyber-espionage operations.
SentinelOne reports that Sandman first gains access to the corporate network using stolen administrator credentials. After hacking the network, Sandman uses Pass-the-Hash attacks to authenticate to remote servers.
According to SentinelLabs, all the workstations targeted by the hackers were owned by senior staff, which indicates that the attackers are interested in privileged or confidential information. According to experts, software development is active, and analysts have seen signs of testing dating back to June 2022.
LuaDream is a modular malware for cyber espionage operations. Here are some of its key features and features:
- Modular structure: LuaDream is designed to easily add and remove functional modules. This allows attackers to customize malware to suit a specific purpose or task.
- Using LuaJIT: LuaDream uses LuaJIT, a just-in-time compiler for the Lua programming language. This ensures high performance and flexibility of malware.
- Advanced Loading Process: LuaDream uses a complex seven-step in-memory loading process to bypass detection systems and prevent detection.
- Anti-analysis: LuaDream includes anti-analysis measures such as hiding streams from debuggers, detecting the Wine emulation environment, and using XOR encryption for code packaging.
- Multiple components: LuaDream consists of 34 components, including 13 main components and 21 auxiliary components. These components provide a variety of functions, from data collection to plugin management and communication with the management server.
- Communication with the Management Server: After initialization, LuaDream communicates with the Management and Control Server (C2) via various protocols, such as TCP, HTTPS, WebSocket, or QUIC, and transmits the collected information.
- Specific Plugins: Attackers can deploy specific plugins via LuaDream in each attack. For example, the "cmd" module provides the ability to execute commands on an infected device.
Such capabilities make LuaDream a powerful tool for cyber espionage, allowing attackers to adapt to different situations and efficiently collect valuable information. Despite the fact that some of the Sandman malware and its infrastructure have been exposed, the origin of the group remains unknown.
Earlier, we wrote that two new types of malware, HTTPSnoop and PipeSnoop, were used in cyber attacks on telecommunications companies in the Middle East. According to a report from Cisco Talos, the malware belongs to the same threat actor, named ShroudedSnooper, and serves different operational purposes.
