A previously unknown threat actor named 'Sandman' targets telecommunications service providers in the Middle East, Western Europe and South Asia, using information-stealing malware. module named 'LuaDream'.
This malicious activity was discovered by SentinelLabs in collaboration with QGroup GmbH in August 2023. They named the threat actor and malware after the backdoor's internal name 'DreamLand client'.
Sandman's operating style is to remain hidden to avoid detection while performing lateral movement and maintaining sustained access to breached systems to maximize his cyber espionage activities.
Popular target
The Sandman threat actor targets telecommunications service providers in the Middle East, Western Europe, and South Asia subcontinents.

SentinelOne said the threat actor first gained access to the corporate network using stolen administrative credentials.

After the network was compromised, Sandman was seen using "pass-the-hash" attacks to authenticate with remote servers and services by extracting and reusing stored NTLM hashes stored in memory.

The SentinelLabs report explains that, in one case, all of the workstations targeted by hackers were assigned to administrative staff, suggesting the attacker was interested in privileged or confidential information.
LuaDream malware
SandMan was seen deploying a new modular malware named 'LuaDream' in attacks using DLL hijacking on target systems. The malware gets its name from its use of the LuaJIT just-in-time compiler for the Lua scripting language

The malware is used to collect data and manage plugins that extend its functionality, which are received from the command and control (C2) server and executed locally on the compromised system.

The malware's development appears to be active, with the version string retrieved indicating the release number "12.0.2.5.23.29" and analysts seeing signs of logs and functionality. Testing capability from June 2022.

LuaDream's staging process is based on a complex seven-step in-memory process to avoid detection, initiated by the Windows Fax or Spooler service, which runs a malicious DLL file.
SentinelLabs reports that the timestamps in the DLL files used for command hijacking are very close to those of the attacks, which may indicate they were custom-built for specific intrusions.

Anti-analysis measures during staging include:

Hide LuaDream threads from the debugger.
Close file with an invalid handle.
Detect Wine-based sandbox environments.
In-memory mapping to avoid EDR API hooks and file-based detection.
Encapsulate staging code with XOR-based encryption and compression.
LuaDream consists of 34 components, with 13 core components and 21 support components, using LuaJIT bytecode and Windows API through the ffi library.

The core components handle the main functions of the malware, such as user and system data collection, plugin control, and C2 communication, while the support components handle the technical aspects , like providing Lua libs and Windows API definitions.

After initialization, LuaDream connects to the C2 server (via TCP, HTTPS, WebSocket or QUIC) and sends collected information, including malware versions, IP/MAC addresses, system details executive, etc.

Because attackers deploy specific plugins through LuaDream in each attack, SentinelLabs does not have a complete list of all available plugins.

However, the report notes a module named 'cmd', whose name suggests that it gives attackers the ability to execute commands on the compromised device.

Although some of Sandman's custom malware and parts of its C2 server infrastructure have been exposed, the origin of the threat actor remains unanswered.

Sandman joins a growing list of advanced attackers targeting telecommunications companies for espionage, using unique stealth backdoors that are difficult to detect and stop.

Telecommunications service providers are frequent targets of espionage activities due to the sensitive nature of the data they manage.

Earlier this week, we reported on a new group of operations tracked as 'ShroudedSnooper' using two new backdoors, HTTPSnoop and PipeSnoop, against telecom carriers in the Middle East.