‘Sandman’ hackers backdoor telcos with new LuaDream malware

A previously unknown threat actor dubbed 'Sandman' targets telecommunication service providers in the Middle East, Western Europe, and South Asia, using a modular info-stealing malware named 'LuaDream.'

This malicious activity was discovered by SentinelLabs in collaboration with QGroup GmbH in August 2023, who named the threat actor and malware after the backdoor's internal name of 'DreamLand client.'

The operational style of Sandman is to keep a low profile to evade detection while performing lateral movement and maintaining long-term access to breached systems to maximize its cyberespionage operations.

A popular target

The Sandman threat actor targets telecommunication service providers in the Middle East, Western Europe, and South Asia subcontinents.

SentinelOne says the threat actor first gains access to a corporate network using stolen administrative credentials.

Once the network is breached, Sandman has been seen using "pass-the-hash" attacks to authenticate to remote servers and services by extracting and reusing NTLM hashes stored in memory.

The SentinelLabs report explains that, in one instance, all workstations targeted by the hackers were assigned to managerial personnel, indicating the attacker's interest in privileged or confidential information.



Geographic distribution of Sandman targets
Source: SentinelLabs



LuaDream malware

SandMan has been seen deploying a new modular malware named 'LuaDream' in attacks using DLL hijacking on targeted systems. The malware gets its name from using the LuaJIT just-in-time compiler for the Lua scripting language

The malware is used to collect data and manage plugins that extend its functionality, which are received from the command and control server (C2) and executed locally on the compromised system.

The malware's development appears to be active, with a retrieved version string indicating the release number "12.0.2.5.23.29," and the analysts have seen signs of logs and testing functions going as far back as June 2022.

LuaDream's staging relies on a sophisticated seven-step in-memory process aiming to evade detection, initiated by either the Windows Fax or Spooler service, which runs the malicious DLL file.

Sandman staging proccess
Source: SentinelLabs



SentinelLabs reports that the timestamps in the DLL files used for order hijacking are very close to the attacks, which might indicate they were custom-created for specific intrusions.

Anti-analysis measures in the staging process include:

• Concealing LuaDream's threads from debuggers.
• Closing files with an invalid handle.
• Detecting Wine-based sandbox environments.
• In-memory mapping to dodge EDR API hooks and file-based detections.
• Packing staging code with XOR-based encryption and compression.

LuaDream comprises 34 components, with 13 core and 21 support components, which utilize the LuaJIT bytecode and the Windows API through the ffi library.

Core components handle the malware's primary functions, like system and user data collection, plugin control, and C2 communications, while support components deal with the technical aspects, like providing Lua libs and Windows API definitions.

The malware's main components (SentinelLabs)