SentinelLabs observed a new threat activity cluster by an unknown actor named Sandman targeting telecommunications providers across the Middle East, Western Europe, and the South Asian subcontinent, using a LuaJIT-based modular backdoor named LuaDream. The LuaDream project appears well-developed with plugin support and in-memory loading to evade detection, though attribution remains uncertain. #LuaDream #SandmanAPT #DreamLand #LuaJIT #Telcos
Keypoints
- Sandman is a newly observed threat activity cluster targeting telecom providers in multiple regions.
- LuaDream is a modular backdoor built on LuaJIT, with a sizable set of components and in-memory loading to complicate analysis.
- Initial access involves credential theft followed by pass-the-hash (NTLM) lateral movement to targeted workstations.
- LuaDream uses DLL hijacking (ualapi.dll) to load and execute, avoiding explicit service restarts to evade detection.
- LuaDream supports multi-protocol C2 (TCP, HTTPS, WebSocket, QUIC) and has a plugin-management framework with attacker-provided plugins.
- Attribution remains unclear; the actor may be a private contractor or mercenary group rather than a known actor.
MITRE Techniques
- [T1550.002] Pass the Hash – ‘Sandman infiltrated specifically targeted workstations using the pass-the-hash technique over the NTLM authentication protocol.’
- [T1574.001] DLL Search Order Hijacking – ‘abused the DLL hijacking technique to execute LuaDream. The ualapi.dll file they placed is a malicious DLL masquerading as its legitimate counterpart…’
- [T1027] Obfuscated/Compressed Files and Information – ‘Next-stage code is typically packed using a combination of XOR-based encryption and compression.’
- [T1059.005] Lua – ‘The LuaDream variant we analyzed is configured to execute with a LuaJIT engine enabling the execution of the LuaJIT components…’
- [T1071.001] Web Protocols – ‘LuaDream configuration includes C2 and communication protocol information… configured to communicate with the mode.encagil[.]com domain over the WebSocket protocol.’
- [T1041] Exfiltration Over C2 Channel – ‘exfiltrating system and user information, paving the way for further precision attacks.’
- [T1497] Virtualization/Sandbox Evasion – ‘detection of Wine-based sandboxes…’
- [T1564.001] Hide Artifacts: NTSetInformationThread – ‘hiding LuaDream’s threads from a debugger using the NtSetInformationThread.’
Indicators of Compromise
- [SHA1] 1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4 – fax.dat
- [SHA1] 27894955aaf082a606337ebe29d263263be52154 – fax.Application
- [SHA1] 5302c39764922f17e4bc14f589fa45408f8a5089 – ualapi.dll
- [SHA1] 77e00e3067f23df10196412f231e80cec41c5253 – fax.cache
- [SHA1] b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 – UpdateCheck.dll
- [SHA1] fb1c6a23e8e0693194a365619b388b09155c2183 – updater.ver
- [SHA1] ff2802cdbc40d2ef3585357b7e6947d42b875884 – fax.module
LuaDream Folder File paths
%ProgramData%FaxConfig
%ProgramData%FaxLib
C2 Server Domains
mode.encagil[.]com
ssl.explorecell[.]com
Read more: https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/