Sandman APT emerges as a mysterious actor targeting telecommunication providers. This Threat Research thoroughly delves deeper into its maliciously tactical activities, particularly concentrating on the LuaJIT toolkit and the LuaDream modular backdoor.

Sandman's Strategic Approach

Sandman, a threat actor of unknown origin, strategically targets telecommunication providers in the Middle East, Western Europe, and South Asia. Characterized by strategic lateral movements and minimal engagements, Sandman aims to achieve objectives while evading detection.

LuaJIT Toolkit Adoption

Sandman's novel modular backdoor, LuaDream, stands out for utilizing the LuaJIT platform—a rare occurrence in the threat landscape. The LuaDream implementation reflects a well-executed, actively developed project of considerable scale.

LuaDream: A Deep Dive

Architecture and Development Style

LuaDream, a multi-protocol backdoor, excels in managing attacker-provided plugins and exfiltrating system and user information. Its architecture, consisting of 34 components, indicates a project of substantial scale.

Code Comment Insight

Intriguingly, a code comment in LuaDream's main_proto_WinHttpServer component hints at potential Chinese origin, adding a layer of complexity to Sandman's attribution.

-- Code comment (translates from Chinese to “returned handle”)

Intricate Staging Process

LuaDream's staging process involves seven main stages conducted thoroughly in memory, showcasing an intricate design focused on evading detection. Anti-analysis measures include thread hiding and detection of sandboxes.

DLL Timestamp Analysis

Analysis of DLL timestamps, while acknowledging potential manipulation, suggests authentic proximity to the intrusion date, indicating meticulous planning.

Sandman's Espionage Motivations

The targeted approach, advanced techniques, and victimology suggest Sandman's likely espionage motivations. Telecommunication providers, holding sensitive data, become prime targets in this landscape.

Network Infrastructure Evolution

Sandman's network infrastructure evolution from ssl.explorecell[.]com to mode.encagil[.]com reflects an intentional shift to cloud-based reverse proxy infrastructure, enhancing operational security.

- SSL.explorecell[.]com to mode.encagil[.]com
- Utilization of cloud-based reverse proxy for enhanced security

Sandman vs. STORM-0866/Red Dev 40

Shared Infrastructure Practices

Sandman shares infrastructure control and management practices with the STORM-0866/Red Dev 40 APT cluster, emphasizing cooperation and coordination among China-based threat groups.

Domain Certificate Overlaps

Analysis reveals SSL certificate overlaps between Sandman's LuaDream C2 domain and STORM-0866/Red Dev 40's dan.det-ploshadka[.]com, highlighting potential collaboration or shared resources.

- SSL certificate overlaps: ssl.explorecell[.]com and dan.det-ploshadka[.]com
- Shared domain certificates indicating potential collaboration

LuaDream and KEYPLUG Collaboration

Shared Development Practices

While LuaDream and KEYPLUG are distinct, they exhibit indicators of shared development practices, including infrastructure control, design overlaps, and functionalities. This suggests a cohesive approach by their operators.

Modular Design and Functionality Overlaps

The modular design and functionality overlaps between LuaDream and KEYPLUG further emphasize shared requirements by the threat actors, showcasing the evolving nature of China-based threat landscapes.

- Modular design similarities between LuaDream and KEYPLUG
- Overlapping functionalities indicating shared requirements

Lua-Based APT Landscape Evolution

Historically associated with Western actors, the Lua development paradigm is now embraced by a broader set of cyberespionage threat actors. Sandman's use of LuaDream signifies a shift in development preferences for its modularity, portability, and simplicity.

Sandman's Targeted Activities

Victimology and Activities

Sandman's targeted activities, observed primarily in the telecommunication sector, demonstrate a meticulous focus on specific workstations. The threat actor exhibits a deliberate approach, limiting actions to minimize detection risks.

Implementation Timeline

Compilation timestamps and artifacts within LuaDream hint at development efforts dating back to 2022, suggesting a persistent threat actor engaging in espionage activities over time.

- Compilation timestamps hinting at development since 2022
- Persistent threat actor engagement in espionage activities

Infiltration Techniques

Sandman employs sophisticated infiltration techniques, including stealing administrative credentials and utilizing the pass-the-hash technique over the NTLM authentication protocol. Strategic patience is evident in waiting for system boot services to load malicious components.

DLL Hijacking Technique

The DLL hijacking technique, with ualapi.dll masquerading as a legitimate component, showcases Sandman's methodical approach to execute LuaDream without service restarts for evasion.

- Strategic patience in waiting for system boot services
- DLL hijacking technique for discreet LuaDream execution

LuaDream Staging Process

The LuaDream staging process, executed fully in memory, involves intricate steps to evade detection. The use of LuaJIT as a just-in-time compiler enhances the difficulty of detecting malicious Lua script code.

- LuaDream staging fully in memory for evasion
- LuaJIT usage for obfuscation and detection evasion

Communication Protocols

LuaDream and KEYPLUG, both highly modular, implement support for HTTP, TCP, WebSocket, and QUIC protocols for C2 communication. The adoption of QUIC and WebSocket together is a rare feature, possibly reflecting shared functional requirements.

- Adoption of QUIC and WebSocket for C2 communication
- Shared functional requirements in LuaDream and KEYPLUG

Conclusion

In the evolving landscape of cyber threats, Sandman APT exemplifies the intricate nature of China-based threat clusters. The collaboration with STORM-0866/Red Dev 40, shared development practices, and the adoption of LuaDream underscore the complexity and cooperation within this threat landscape.

Ongoing Monitoring

While acknowledging the association of Sandman with China-based adversaries, ongoing monitoring is crucial. The distinct cluster status of Sandman is maintained, pending further conclusive information.

Broader Lua Development Paradigm Adoption

Sandman's use of LuaDream signals a broader adoption of the Lua development paradigm in cyberespionage. This paradigm, historically Western-aligned, now extends to a diverse set of threat actors for its modularity and simplicity.

- Ongoing monitoring of Sandman's distinct cluster status
- Broader adoption of Lua development paradigm in cyberespionage