HQ/EMEAFind out how we can help your business
The notorious advanced persistent threat group Sandman APT has a cybercriminal campaign called LuaDream that targets telecommunication companies.
Based on reports, the targeted regions of this campaign are in the Middle East, Western Europe, and South Asia. The campaign leverages a new novel cybercriminal weapon dubbed LuaJIT, a malicious compiler that obfuscates the Lua scripts.
Details of this advanced persistent threat group are still a mystery to researchers. However, their recent campaigns follow the same pattern: the utilisation of modular backdoors and covert techniques. Currently, their primary targets are telecommunication firms in various regions.
Sandman APT’s LuaDream is a backdoor that exploits the LuaJIT platform.
The Sandman APT group’s operation relies on their modular backdoor dubbed LuaDream. Reports stated that this backdoor leverages the LuaJIT platform and introduces a twist in its infection method.
LuaDream takes its time infecting its targets instead of immediate execution, often leading to rapid detection. The malware patiently waits for the user-initiated reboot of the compromised system while masquerading as an innocuous ualapi[.]dll file through the Fax and Windows Spooler services.
The Sandman campaign last month showed their ingenuity through DLL hijacking. Their technique allows them to hide their malicious file by making it appear as a legitimate archive with an identical name. In addition, these threat actors exploited the “pass the hash” tactic over the NTLM authentication protocol to expand their reach, targeting specific machines on the same network.
Researchers closely observing the Sandman APT have discovered a meticulously orchestrated strategy marked by strategic lateral movement to specific workstations and minimal interaction. This Sandman group tactic’s primary objective is to maximise the chances of achieving their objectives while minimising the risk of detection.
The ongoing evolution of LuaDream poses a real threat regarding harvesting critical system and user data. These threat actors use these stages for future targeted strikes and accommodate attacker-introduced plugins to enhance their capabilities.
Cyberespionage actors continue to develop new tools to execute their cybercriminal campaigns. LuaDream is the latest addition to these threats, which could allow APT groups to infect their targeted institutions.
Organisations should prioritise regular system patching, deploy advanced threat detection solutions, and provide comprehensive cybersecurity training for their employees to counteract such relentless operations.
