Threat Research

Sandman APT | China-Based Adversaries Embrace Lua

Securonix

The Sandman APT is linked to suspected China-based threat clusters that use the KEYPLUG backdoor, with LuaDream (Lua-based) observed co-existing in the same victim environments. The report highlights shared infrastructure practices, overlaps in functionality, and the adoption of Lua as a modular backdoor approach among actors including STORM-0866/Red Dev 40. #SandmanAPT #KEYPLUG

Keypoints

  • The Sandman APT is likely associated with China-based clusters that use the KEYPLUG backdoor (e.g., STORM-0866/Red Dev 40).
  • LuaDream and KEYPLUG have been observed co-existing in the same victim environments.
  • Sandman and STORM-0866/Red Dev 40 share infrastructure control, hosting providers, and domain naming conventions.
  • There are indicators of shared development practices and overlaps in functionality between LuaDream and KEYPLUG, suggesting common operator requirements.
  • The Lua development paradigm is being adopted by a broader set of adversaries, including China-based actors, due to modularity and portability.
  • Key infrastructure details include multiple C2 domains, IPs, and cloud-based reverse proxy usage to hide true hosting locations.

MITRE Techniques

  • [T1059.005] Lua – Lua scripting used for backdoor development. “LuaDream is a maintained modular backdoor based on LuaJIT” [‘LuaDream is a maintained modular backdoor based on LuaJIT.’]
  • [T1082] System Information Discovery – The backdoors gather and exfiltrate system and user information (MAC address, OS version, IP address, computer name, username). [‘gather and exfiltrate system and user information (MAC address, OS version, IP address, computer name, username)’]
  • [T1071.001] Web Protocols – The backdoors implement HTTP, TCP, WebSocket, and QUIC for C2 communication. [‘highly modular and multi-protocol in design, both implementing support for the HTTP, TCP, WebSocket, and QUIC protocols for C2 communication.’]
  • [T1090.001] Proxy – Use of cloud-based reverse proxy infrastructure to hide true hosting locations. [‘relying on Cloud-based reverse proxy infrastructure for hiding the true hosting locations.’]
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated via the C2 channel, including system information (MAC address, OS version, IP, computer name, username). [‘gather and exfiltrate system and user information’]

Indicators of Compromise

  • [Domains] context – dan.det-ploshadka[.]com (KEYPLUG C2), mode.encagil[.]com (LuaDream C2), ssl.articella[.]com (Suspected KEYPLUG or LuaDream C2), ssl.e-novauto[.]com (KEYPLUG C2), ssl.explorecell[.]com (LuaDream C2), yum.luxyries[.]com (KEYPLUG C2)
  • [IP Addresses] context – 146.70.157[.]20, 172.67.216[.]63, 185.38.142[.]129, 185.51.134[.]27, 185.82.218[.]230, 37.120.140[.]205, 45.129.199[.]122, 45.80.148[.]151, 45.90.59[.]17, 5.2.67[.]176, 5.2.72[.]130, 5.255.88[.]188, 79.110.52[.]160
  • [Certificate Thumbprints] context – a7932112b7880c95d77bc36c6fcced977f4a5889 (KEYPLUG C2), b6d759c9ea5d2136bacb1b2289a31c33500c8de8 (KEYPLUG C2), fc8fdf58cd945619cbfede40ba06aada10de9459 (LuaDream C2)

Read more: https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint