CyberWire Daily - Sandman doesn't slow malware down. [Research Saturday]
Episode Date: November 4, 2023Aleksandar Milenkoski and JAGS from SentinelOne sits down to share their work on "Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit." After observing a new threat activity cluster b...y an unknown threat actor in August of this year, SentinelLabs dubbed it Sandman. The research states "Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent." Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, they call this malware "LuaDream," which exfiltrates system and user information, paving the way for further precision attacks. The research can be found here: Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We were hunting around mostly for compromises of Windows library files. That's when we stumbled
upon a Trojanized ULAPDLL file. So I would say in a nutshell,
this is kind of a logging library
that is loaded by a few Windows services from started.
Our guests today are Alexander Milankovsky
and Juan Andres Gierosade
from Sentinel One's Sentinel Labs.
They're sharing their work Sandman APT,
a mystery group targeting telcos with a LuaJIT toolkit.
So we noticed this and then examined the file in more detail.
And saw the implementation of a rather intricate, rather complex staging mechanism.
That's Alexander Milankovsky.
That delivers the backdoor, which we then named Luodrim.
And this was what kicked off our deep investigation
in this threat activity overall, I would say.
Juan, anything to add to that?
Well, I have to say, after Metador and tainted love and some of the other stuff
that we've worked on recently uh we have been paying a lot more attention to the telco space
as far as we can see it looks like there's possibly four to five uh different advanced
but not very well attributed threat actors that seem to be operating primarily in telcos around the world.
And it's something that's really caught our attention and we've been trying to wrap our heads around and keep some sort of situational awareness over.
Well, let's dig in here. Why don't we start off with a description of Sandman themselves.
What do we know about this organization?
Right, when
looking at the threat cluster overall,
I would say that the use
of the Begdor, the
LuaDream, which is a modular Lua-based
Begdor, is
what is really unique about the Sandman
activity from our perspective, at least.
The thing is that Lua-based modularbased modular backdoors like LureDream
have been observed, I would say, relatively rarely in the threat landscape.
And when observed, they were rather in the context of advanced APTs,
which were historically considered Western or Western-aligned.
There is a rather interesting historical context on the use of Lua,
which Juan has been researching in greater detail.
Juan, you want to fill us in there?
Sure.
So basically, the subtext here that I think is never sort of plainly stated
is that the combination of C++ and Lua for malware toolkits
has always been considered a bit of a telltale sign of Western operations.
You know, Western sort of broadly defined.
But if you think about it, right, the history of it is Flame, Flame 2,
Project Sauron, Evil Bunny from Animal Farm.
These are all operations that have generally been sort of
considered Western aligned, whether it's, you know, US, Israel, France, etc. So a lot of folks
will look at, you know, folks in the know will look at a new piece of malware that's C++ and Lua
and immediately sort of assume that this is a case of blue on blue or some kind of,
you know, the kind of operations that you might not be particularly against, right? That is something that we've been profiling a great deal and sort
of working on, A, to like understand sort of that history of development, but B, because we're
starting to get the sense that that is no longer the case. We understand sort of the importance of
that paradigm, why it's been useful. It is actually fascinating as far as the development of the malware itself goes.
But I think more importantly, we're starting to see those techniques trickle down to other
threat actors that are obviously not Western aligned.
You know, something to do with Sandman is they're attacking telcos in Western Europe.
So, you know, we're beyond that point where we can just say,
look, this is only something that our boys do
or that friendly govs do, if you consider such a thing,
but rather that we need to kind of open our aperture
and accept that sort of the cat's out of the bag
and we're seeing different teams use this quite nefariously.
I can't help wondering, I mean,
do you suppose this is a case of
imitation is the sincerest form of flattery or could it go so far as to be intentional
misdirection? I mean, I think there's a variety of things to consider there, right? There's
imitation as a form of flattery, right? This stuff is not quite so private anymore since the threat
until space got their hands on it as early as 2012. It's been getting reported. There's also a technical end to it, right? I think folks
who've never done C++ development or Lua don't understand why Lua is more important or more
useful than any other scripting language, let's say Python. But rather, if you pay attention to Lua, it is actually very, very special.
It's running on a virtual machine that's written in C that can be compiled in a very small form factor directly into a C++ code base.
And when you look at how complex some of these pieces of C++ code are, and you consider that you would, in theory,
have to recompile this whole thing if there's ever an error,
if you ever want to inject new functionality, etc.,
Lua actually becomes this really valuable bridge
where you can basically toss scripts
into this running VM inside of an existing code base,
and you can fix your malware on the fly
without having to replace it,
without having to recompile it.
I think that's where a lot of sort of the emphasis
and the magic and the preference for it has come from.
When you look at the new operations, though,
the question is, are they imitating it?
Are we looking at a Project Raven-style case
where the folks who knew from over here have decided to go
somewhere else?
Or have just other C++ development gurus decided that this is also a good way to go about solving
their problems?
Well, let's dig into some of the details here.
How does Sandman go about doing the things that they do?
You mentioned that they seem to be targeting telcos.
Yeah, sure.
So just to circle back on Sandman and that particular cluster,
so I mentioned already the use of Lua
as something that distinguishes this cluster
from other activities that we've been observing recently.
Other than that, in addition to deploying Lua Dream,
the threat actors used, I would say,
primarily open source living of the land tooling
to steal credentials, move laterally
within the victim networks and so on.
Regarding victimology,
we observed that Redactor targeting
primarily telcos in the Middle East,
Western Europe, as Jax mentioned, and South Asia.
We, but also some industry partners,
have also observed Sandman's presence in government entities. This mentioned, and South Asia. We, but also some industry partners,
have also observed Sandman's presence in government entities.
This was mostly in South Asia.
So to summarize in a nutshell,
I would say telcos and government entities seem to be among,
at this point, at least the top coveted targets by this threat actor.
We're still working on some reliable attribution indicators on this trade pact, so stay tuned on that front. So it's a small teaser from our side.
That being said, the locations and sector of the victims may relate to the geopolitical interest of whatever nation-state is backing or even hiring the Sandman PA.
And what specifically does it seem as though they're after here?
Right.
I mean, the Sandman clearly has cyber espionage motivations, right?
The victimology, the TTPs that we observed, the USMAL, of course, LuaDream are very indicative
of this.
For example, in one instance, we observed that threat actors have been present in some
environments for months and then suddenly were strategically moving
to workstation of managerial personnel, right?
And in general, coming back to the victimology
and Telcos in particular,
I would say that they're in general
a very attractive target to cyber espionage tiers overall.
So they provide them access to things like data,
of course, like Telcos hosts a lot of customer
and employee private or communication data as well.
Data and proprietary communication technologies, of course, infrastructure, so they have large
infrastructures often syndicated.
And intrusion in telcos can also be used for downstream compromise in some cases to associated
organizations. Yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation, and detecting threats using AI Thank you. What are you all seeing in terms of their own infrastructure here?
You know, things like command and control.
Right.
So, actually, this aspect was one of the more interesting things in our research, I would say.
So I will just start from high level.
At this point, we don't really play Sandman among the most sophisticated
APT groups out there.
So this is mostly because of the lack of clear C2 infrastructure
segmentation that we observed.
So I would say this is something that you just don't see
among the absolute pros in the game.
Jax, of course, can add to that.
But that being said,
we observed a discrepancy
between the sophistication of Sandman
from an operational perspective,
especially regarding its C2 infrastructure
and LuaDream or the malware itself.
So this led us to think about potentially
the involvement of a third-party vendor
that is supplying these operational groups
or multiple operational groups with Malwa.
So this is an interesting topic
that we certainly plan to explore
in greater detail in the future.
Jags, do you have any insights on that part of it?
Well, it's an interestingly opaque sort of space, right?
We see these different variations when it comes to infrastructure.
We see also the way that they move inside of the network.
I'll say that we've been harboring some suspicions
about what actors this may relate to.
Part of the problem with sort of figuring out entirely new or seemingly new clusters of activity
is that just the same as the attackers have developed,
you have to come to this moment of questioning,
like, is this somebody we've seen before
and we just don't recognize their new toolkit?
Or are we dealing with an entirely new cluster of activity
that we just had not caught onto before?
And I think in many ways with something like Sandman, it's still a bit of an open question.
I think it's very difficult to diagnose or to just sort of figure out from afar if you're dealing with a mercenary group,
which is sort of the more complicated end of this because you can't rely on the usual heuristics of,
well, who do they attack? Where do they seem to come from? What is their language?
What is their time zone? Okay, well, that should give us enough to surmise who we may be dealing with
when it comes to somebody that's sort of potentially a commercial provider for a variety of groups.
You don't get to have those sorts of simple heuristics.
You don't get to have those sorts of simple heuristics.
So it's a very complex situation where we look at this, we look at MetaDor, which we worked on last year.
You look at publications like things like LightBasin that other folks have been looking into.
And there's this broad question of just how many folks are operating in the dedicated telco space.
How much awareness do they have about how these places are set up?
And how well are they doing that they seem to be gaining quite a persistent foothold in a lot of places.
And how exactly are they getting in?
What is the initial access here?
Well, we are still analyzing available telemetry data,
basically trying to determine the concrete initial intrusion vector.
In general, I would say that although we lack
concrete indicators at this time, the current suspects
are the usual. So we are talking about
vulnerability exploitation, maybe social engineering
phishing attacks, maybe even purchasing access from initial access
brokers. That's something that we relatively often
see as well. Part of the difficulty
in this situation, the reason that I mentioned that there's a certain amount of familiarity
with their victim environment is, in the case of Sandman in particular,
we were seeing them, what appeared to be moving laterally across one of the victim networks
in such a way as to avoid machines that the Sentinel-1 agent had been deployed to.
So you can see where they're trying to abuse a certain amount of like this sort of blind spot
that comes with things that we can't help, right?
If, you know, a certain enterprise is only deployed to 60% of their endpoints or 80% of their endpoints,
then you do have sort of this dark matter that comes with that other side of the house
that's sort of unprotected, uninspected.
this dark matter that comes with that other side of the house that's sort of unprotected,
uninspected. And when they accidentally tripped onto a machine that had our product on it,
that's when Alex latches onto it and we start to figure out, oh, they've actually been hopping around the network very, very carefully trying to avoid us. So there's definitely a certain,
you know, there's a reason that this is such a,
you know, complex endeavor, interesting endeavor. And it does go hand in hand with the fact that
you're dealing with sort of a sentient enemy that is adapting to what you do just as much
as we're adapting to them. I mean, does that imply that there's a certain amount of scouting
that they're doing ahead of time? Absolutely. There's a great amount of scouting that they're doing ahead of time? Absolutely.
There's a great deal of scouting.
What we also observed,
at least on those endpoints where we had telemetry on
about the activities,
we definitely also saw reconnaissance
activities as well, right?
So this was mainly for two purposes,
and the second we can only assume, right?
The first was to what workstation
they should move,
so they should deploy their backdoors. And the second we can only assume, right? The first was to what workstation they should move so they should deploy their backdoors.
And the second one was probably involving scouting
for defensive mechanisms, right?
Including our own agent.
So what are your recommendations here?
I mean, for organizations who think
they may be of interest to this group,
what are the best practices here to keep them out?
So I will start relating back to the general suspected initial intrusion vectors
and Jackson will probably wrap it up.
So at this point, when we are still trying to determine the exact initial
intrusion vectors, I would say protection measures against the usual suspects
come to mind.
This also relates to what we usually observe if we take and survey the whole
threat landscape targeting telcos.
So this is mostly phishing and social engineering awareness, of course,
including proper examination of emails that originate from untrusted sources.
Vulnerability management, of course, especially on internet-exposed services or devices.
Deployment of modern detection systems.
So Jax also mentioned these characteristics
of the Sandman cluster,
where they were hopping on workstations
where our system was not present on.
And deployment of this system,
especially on mission-critical endpoints
or endpoints that store sensitive data.
There's recommendations that we can and should give for the telco space and the Gov space in particular, as Alex mentioned.
But I'd also like to point out that part of the pain and difficulty of seeing threat actors be successful on telcos
is that the implication here is that these are enabler operations.
They are meant to enable further collection downstream to other customers, to folks using
phones, using internet, being provided by these different telco providers.
And the difficulty there is, yeah, we can talk about how a telco could defend itself
better, but we also have this general concern that comes with the fact
that any aspect of security or privacy
that is contingent on the good defense of a telco
is in many ways sort of defeated
categorically by the lack of defense within
some of these organizations or, you know, just by
falling prey in some ways, as happens to everybody. In particular, what I have in mind is, you know,
we're talking about super advanced, very capable threat actors going into telcos and doing special
things. But I think we're also living at a time where you have actors like Lapsus or Star Fraud or The Calm in general, where I don't think
anybody would put them at a high level of sophistication, but they're also proving just
how porous the telco space can be. So when you're talking about giving recommendations for folks in
general, I mean, the one thing that we need to desperately run away from is two-factor via SMS.
Anything that has to do with account verification
that requires entirely on a phone number
is something that we just have to abandon
categorically at this point
and move to more robust solutions.
And then we can have more interesting conversations
about what's happening with Escanage Enabler
or opposite telcos.
Our thanks to Alexander Milankovsky and Juan Andres Giarosade
from Sentinel-1's Sentinel Labs for joining us.
The research is titled Sandman APT,
a mystery group targeting telcos with a Luigit toolkit.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
And staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.