New stealthy APT targets telcos across three continents with novel backdoor

A worker rebuilds a cellular tower with 5G equipment for the Verizon network on November 26, 2019 in Orem, Utah. Based on Sandman’s tactics, techniques and procedures (TTPs), researchers suspect the group is likely espionage-focused and may be a private contractor or mercenary organization tasked with gathering the sensitive data telcos amas...

A previously unknown threat group has targeted multiple telecommunications companies across large parts of Europe, the Middle East and Asia with a novel backdoor malware.

Based on the group’s tactics, techniques and procedures (TTPs), researchers suspect it is likely espionage-focused and may be a private contractor or mercenary organization tasked with gathering the sensitive data telcos amass.

The advanced persistent threat (APT) actor, dubbed Sandman, relies on strategic lateral movement to targeted workstations and employing minimal engagement to avoid detection, according to a Sept. 21 profile of the group by SentinelLabs, the firm that first discovered them.

SentinelLabs collaborated with QGroup to observe Sandman through much of August. The group’s “focused, strategy-driven activities, and the use of complex malware designed to evade detection point to a motivated and capable adversary,” SentinelLabs senior threat researcher Aleksandar Milenkoski wrote in the profile.

Sandman deploys a novel modular backdoor malware – which SentinelLabs calls LuaDream – based on the LuaJIT platform, a just-in-time compiler for the Lua scripting language. Leveraging LuaJIT makes the backdoor’s malicious Lua script code difficult to detect.

“Typically used as a scripting middleware in gaming and specialty embedded applications and appliances, the use of LuaJIT in the context of APT malware is relatively rare but the population using it is becoming broader,” Milenkoski said.

Stealth and sophistication point to espionage

He described LuaDream as a “maintained, versioned project under active development.” The backdoor’s main functions is to exfiltrate system and user information – paving the way for further precision attacks – and to manage additional Sandman plugins that extend its capabilities.

“The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory,” Milenkoski said.

“The 36 distinct LuaDream components we identified and the support for multiple protocols for C2 (command-and-control) communication indicate a project of a considerable scale.”

The activity cluster SentinelLabs and QGroup observed, along with the C2 netflow data they examined, indicate Sandman was targeting telcos across an expansive geographical region that includes the Middle East, Western Europe, and the South Asian subcontinent.

“LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal,” Milenkoski said.

“While we cannot associate LuaDream to any known threat actor, we lean towards the possibility of a private contractor or mercenary group.”

The enigmatic nature of Sandman and LuaDream put the APT group in the same category as a number of other mysterious threat actors, including Metador, which SentinelLabs discovered 12 months ago and which also targeted telcos.

Telcos remain prime targets for APTs

2023 began with a wave of cyberattacks targeting telecommunications companies and earlier this week Cisco Talos revealed details of a new malware family it calls HTTPSnoop that has been attacking telcos in the Middle East.

“Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact,” Cisco Talos researchers said in a Sept. 19 post.

“These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.