SentinelLabs, Microsoft, and PwC threat intelligence researchers have provided attribution-relevant information on the relatively unknown Sandman APT.
The report which was released on the 11th December details a link between the Sandman APT and Chinese threat actors who use the KEYPLUG backdoor. The Chinese threat actor is tracked by Microsoft as STORM-0866/Red Dev 40.
The Lua-based malware being used by Sandworm (known as LuaDream) has been seen co-existing in the same victim networks as the KEYPLUG malware, and sharing the same C2 infrastructure and domain naming conventions leading the researchers to strongly suspect the link between the two gangs.
Forensic analysis of both LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.
Who are Sandman APT?
Back in September, SentinelLabs produced a report in to a new APT which they dubbed Sandman. the gang have been observed targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.
That gang uses a modular backdoor (LuaDream) which utilises the LuaJIT platform, which is a relatively rare occurrence in the threat landscape.
The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.
LuaDreams main functionalities are:
- exfiltrating system and user information, paving the way for further precision attacks;
- managing attacker-provided plugins that extend LuaDream’s features
Analysis of the 36 distinct LuaDream components identified, and the support for multiple protocols for C2 communication indicate a project of a considerable scale. The LuaDream staging chain is designed to evade detection and thwart analysis while deploying the malware directly into memory. LuaDream’s implementation and staging process leverage the LuaJIT platform, the just-in-time compiler for the Lua scripting language. This is primarily to make malicious Lua script code difficult to detect.
Who are STORM-0866/Red Dev 40?
STORM-0866/Red Dev 40 is a developing APT threat cluster primarily targeting entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities. The modular backdoor KEYPLUG has become a staple weapon in STORM-0866/Red Dev 40’s arsenal.
Mandiant first reported on KEYPLUG as part of intrusions into U.S. government entities by the Chinese APT group APT41.
LuaDream & KEYPLUG
A code comment seen in KEYPLUG was written in Chinese, indicating the potential for a Chinese origin, however all other variable names, code comments, and error messages are written in English.
LuaDream and KEYPLUG are both highly modular and multi-protocol in design. They both implement support for the HTTP, TCP, WebSocket, and QUIC protocols for C2 communication.
The combination of QUIC and WebSocket is a relatively rare backdoor feature and its implementation in both LuaDream and KEYPLUG may be the result of a shared functional requirement by the backdoors’ operators.
The high-level execution flows of LuaDream and KEYPLUG are also very similar. Both backdoors first gather and exfiltrate system and user information in designated functions, with overlaps in gathered information (for example, MAC address, OS version, IP address, computer name, and username).
