Telecom companies are facing a new and sophisticated threat called “Sandman,” a group that emerged mysteriously in August and has been using a unique type of backdoor known as LuaDream. This backdoor utilizes LuaJIT, a high-performance compiler for the Lua programming language. Researchers at SentinelOne have been monitoring Sandman’s activities and have observed attacks on telecommunications companies in the Middle East, Western Europe, and South Asia.
The analysis conducted by SentinelOne revealed that the LuaDream malware is highly modular, equipped with various functions designed to steal system and user information, facilitate future attacks, and manage additional plugins provided by the attacker. However, the origin of this group remains unknown, and there is no reliable sense of attribution at this time. Nevertheless, the available data suggests that Sandman is a cyber-espionage adversary with a particular interest in targeting telecommunication providers across different geographical regions.
It is not surprising that telecom companies are attractive targets for threat actors, particularly state-backed ones. These companies provide ample opportunities for spying on individuals and conducting widespread cyber espionage. By accessing call-data records, mobile subscriber identity data, and metadata from carrier networks, attackers can effectively track specific individuals or groups of interest. In the past, groups conducting these attacks have often been associated with countries like China, Iran, and Turkey.
More recently, the growing use of phones for two-factor authentication has added another incentive for attackers to target telecom companies. By compromising carrier networks, threat actors can conduct SIM-swapping on a large scale, where they gain control of someone else’s phone number and use it for unauthorized purposes.
The LuaDream malware employed by Sandman consists of 34 distinct components and supports multiple protocols for command-and-control operations, indicating a significant and well-coordinated operation. Thirteen of these components are responsible for core functions such as initializing the malware, communication with the command-and-control server, managing plugins, and exfiltrating user and system information. The remaining components provide support functions such as implementing Lua libraries and Windows APIs for LuaDream’s operations.
One interesting aspect of this malware is its use of LuaJIT, a tool typically utilized by developers in gaming applications and other specialized use cases. The rare sightings of highly modular Lua-utilizing malware, such as the Project Sauron cyber-espionage platform, suggest the involvement of a third-party security vendor in the campaign. This raises questions about the origin and potential motivations of Sandman.
Once Sandman gains access to a target network, their main objective is to remain undetected and inconspicuous. The group initially focuses on stealing administrative credentials and conducting reconnaissance to identify targeted workstations, particularly those assigned to high-ranking individuals. To minimize the risk of detection, SentinelOne researchers observed that Sandman maintains an average five-day gap between endpoint break-ins. Subsequently, Sandman actors deploy folders and files for loading and executing LuaDream.
The features exhibited by LuaDream indicate that it may be a variant of another malware tool called DreamLand, which was previously observed by Kaspersky in a campaign targeting a Pakistani government agency. Similar to LuaDream, DreamLand is highly modular and utilizes Lua in conjunction with the JIT compiler to execute code in a stealthy manner. Kaspersky referred to DreamLand as the first instance of an APT actor using Lua since Project Sauron and another older campaign called Animal Farm.
In conclusion, telecom companies face yet another sophisticated threat in the form of Sandman. The group’s use of the LuaDream backdoor, combined with its targeted attacks on telecommunication providers, highlights the need for increased vigilance and robust security measures within the industry. By staying informed about evolving threat landscapes and implementing effective cybersecurity strategies, these companies can better protect their data and networks from malicious actors like Sandman.