Research Saturday 11.4.23
Ep 306 | 11.4.23

Sandman doesn't slow malware down.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Aleksandar Milenkoski: We were hunting around mostly for compromises of Windows library files. That's when we stumbled upon a Trojan ualapi dll file. So I would say, in a nutshell, this is kind of a logging library that is slowed by a few Windows services from started.

Dave Bittner: Our guests today are Aleksandar Milenkoski and Juan Andrés Guerrero-Saade from SentinelOne's SentinelLabs. They're sharing their work, Sandman APT, A Mystery Group Targeting Telcos With a LuaJIT Toolkit.

Aleksandar Milenkoski: So we noticed this and then examined the file in more detail and saw the implementation of a rather intricate, rather complex staging mechanism --

Dave Bittner: That's Aleksandar Milenkoski.

Aleksandar Milenkoski: -- that delivers the backdoor, which we named LuaDream. And this was what kicked off our deep investigation threat activity overall, I would say.

Dave Bittner: Juan, anything to add to that?

Juan Andrés Guerrero-Saade: Well, I have to say, you know, after Matador and Tainted Love and some of the other stuff that we've worked on recently, we have been paying a lot more attention to the telco space. As far as we can see, it looks like there's possibly four to five different advanced but not very well attributed threat actors that seem to be operating primarily in telcos around the world. And it's something that's really caught our attention. And we've been trying to get our -- you know, wrap our heads around and keep some sort of situational awareness over.

Dave Bittner: Well, let's dig in here. Why don't we start off with a description of Sandman themselves. What do we know about this organization?

Aleksandar Milenkoski: Right. When looking at the threat cluster overall, I would say that the use of -- of the backdoor LuaDream, which is modular lua-based beta is what is really unique about the Sandman activity from our perspective, at least, the thing that lua-based modular backdoors, like LuaDream have been observed, I would say relatively, rarely in the threat landscape. And when observed they were rather in the context of advanced APDs, which were historically considered Western or Western-aligned. There is a rather interesting historical context on the use of Lua, which Juan has been researching in greater detail.

Dave Bittner: Juan, you want to fill us in there?

Juan Andrés Guerrero-Saade: Sure. So, basically, the subtext here that I think is never sort of plainly stated is that the combination of C++ and Lua for malware toolkits has always been considered a bit of a telltale sign of Western operations, you know, Western sort of broadly defined. But, if you think about it, right, the history of it is flame, flame 2, project Sauron, Evil Bunny from Animal Farm. These are all operations that have generally been sort of considered Western-aligned, whether it's, you know, US, Israel, France, etc. So a lot of folks will look at -- you know, folks in the know will look at a new piece of malware that's C++ and Lua and immediately sort of assume that this is a case of blue on blue or some kind of -- you know, the kind of operations that you might not be particularly against, right. That is something that we've been profiling a great deal and sort of working on, a, to like understand sort of that history of development; but, b, because we're starting to get the sense that that is no longer the case. We understand sort of the importance of that paradigm, why it's been useful. It's actually fascinating as far as the development of the malware itself goes. But I think, more importantly, we're starting to see those techniques trickle down to other threat actors that are obviously not Western-aligned. You know, something to do with what Sandman is, they're attacking telcos in Western Europe. So, you know, we're beyond that point where we can just say, look. This is only something that our boys do or that friendly govs do if you consider such a thing but, rather, that we need to kind of open our aperture and accept that sort of the cat's out of the bag, and we're seeing different teams use this quite nefariously.

Dave Bittner: I can't help wondering, I mean, it's -- do you suppose this is a case of the -- imitation is the sincerest form of flattery, or could it go so far as to be intentional misdirection?

Juan Andrés Guerrero-Saade: I mean, I think there's a variety of things to consider there, right? There's -- there's imitation as a form of flattery, right? This stuff is not quite so private anymore since the thread Intel space got their hands on it. As early as 2012, it's been getting recorded. There's also a technical end to it, right? I think folks who have never done C++ development or Lua don't understand why Lua is more important or more useful than any other scripting language, let's say Python. But, rather, if you pay attention to Lua, it is actually very, very special. It's a virtual -- it's running on a virtual machine that's written in C that can be compiled in a very small form factor directly into a C++ code base. And when you look at how complex some of these pieces of C++ code are and you consider that you would, in theory, have to recompile this whole thing if there's ever an error, if you ever want to inject new functionality, etc., Lua actually becomes this really valuable bridge where you can basically toss scripts into this running VM inside of an existing code base, and you can fix your malware on the fly without having to replace it, without having to recompile it. I think that's where a lot of sort of the -- the emphasis and the magic and the preference for it has come from. When you look at the new operations, though, the question is, are they imitating it? Are we looking at a project Raven style case where the folks who knew from over here have decided to go somewhere else? Or have, you know, just other C++ development gurus decided that this is also a good way to go about solving their problems?

Dave Bittner: Well, let's dig into some of the details here. How does Sandman go about doing the things that they do? You mentioned that they -- they seem to be targeting telcos?

Aleksandar Milenkoski: Yeah. Sure. So just to circle back on Sandman on that particular cluster, so I mentioned already the use of Lua as something that distinguishes this cluster from other activities that we've been observing recently. Other than that, in addition to deploying LuaDream, the threat actors used, say, primarily open source, [inaudible 00:07:23] to steal credentials, move laterally within the victim networks and so on. Regarding victimology, we observed the threat actor targeting familiar telcos in the Middle East, Western Europe, as JAGS mentioned, and South Asia. We but also some industry partners have also observed Sandman's presence in government entities. This was mostly in South Asia. So, to summarize, in a nutshell, I would say telcos and government indeed seem to be among at this point, at least the top coveted target by this threat actor. We're still working on some reliable attribution indicators on these three factors. So stay tuned on that front. So it's a small teaser from our site. That being said, the locations and sector of the victims may relate the geopolitical interest of whatever nation state is banking or even hiring the Sandman PA.

Dave Bittner: And what -- what specifically does it seem as though they're after here?

Aleksandar Milenkoski: Right. I mean, the film clearly hits cyberespionage motivations, right, the victimology, the TTPs that we observe, the use of malware, Of course, LuaDream are very indicative of this. For example, in one instance, we observed the threat actors have been present in some environments for months and then suddenly were strategically moving to workstation of managerial personnel. Right. And, in general, coming back to the victimology in telcos, in particular, I would say that they're in general a very attractive target to cyberespionage there overall, so they provide -- they provide access to things like data, of course. Like telcos holds a lot of customer and employee private communication data as well; data on proprietary communication technologies, of course; infrastructure. So they have large infrastructures, right, often syndicated. And intrusion in telcos can also be useful downstream compromised some cases to associated organizations.

Dave Bittner: What are you all seeing in terms of their own infrastructure here, you know, things like command and control?

Aleksandar Milenkoski: Right. So, actually, this aspect was one of the more interesting things in our research, I would say. So I will just add some high-level, rather, like at this point, we don't really place Sandman among the most sophisticated APT groups out there. So this is mostly because of the lack of clear situ infrastructure segmentation that we observe. So I would say this is something that you just don't see among the absolute pros in the game. JAGS, of course, can add to that. But, that being said, we observed discrepancy between the sophistication of Sandman from an operational perspective, especially regarding simple infrastructure and LuaDream model itself. So this led us to think about potentially more involvement of a third party vendor that is supplying this operational group of multiple operational groups with malware. So this is an interesting topic that we certainly plan to explore in the future.

Dave Bittner: JAGS, do you have any insights on that part of it?

Juan Andrés Guerrero-Saade: Well, it's sort of a -- it's an interestingly opaque sort of space, right? We see these different variations. When it comes to infrastructure, we see also the way that they move inside of the network. I'll say that, you know, we've been harboring some suspicions about what actors this may relate to. And part of the problem with sort of figuring out entirely new or seemingly new clusters of activity is that, you know, just same as the attackers have developed, you have to come to this moment of questioning. Like, is this somebody we've seen before and we just don't recognize their new toolkit? Or are we dealing with an entirely new cluster of activity that we just had not caught on to before? And I think in many ways with something like Sandman it's -- it's still a bit of an open question. I think it's very difficult to diagnose or to just sort of figure out from afar if you're dealing with a mercenary group, which is sort of the more complicated end of this because you can't rely on the usual heuristics of, well, who do they attack? Where do they seem to come from? What is their language? What is their time zone? Okay. Well, that should give us enough to surmise who we may be dealing with. When it comes to somebody that's sort of potentially a commercial provider for a variety of groups, you don't get to have those sorts of simple heuristics. So it's a very complex situation where we look at this, we look at Metador, which we worked on last year. You look at publications, like things like Light Base and that other folks have been looking into. And there's this broad question of just how many folks are operating in the dedicated telco space? How much awareness do they have about how these places are set up? And how well are they doing that? They seem to be gaining quite a persistent foothold in a lot of places.

Dave Bittner: And how exactly are they getting in? What is the initial access here?

Aleksandar Milenkoski: Well, we're still analyzing available telemetry data, basically trying to determine the concrete initial intrusion backdoor. In general, I would say that, although we lack concrete indicators at this time, the current suspects are the usual. So we're talking about vulnerability exploitation, maybe social engineering phishing attacks, maybe even purchasing access from initial access brokers. That's something that we relatively often see, as well.

Juan Andrés Guerrero-Saade: Part of the difficulty in this situation, the reason that I mentioned that there's a certain amount of sort of familiarity with their victim environment is, in the case of Sandman in particular, we were seeing them what appear to be moving laterally across one of the victim networks in such a way as to avoid machines that the SentinelOne agent had been deployed to. So you can see sort of where they're trying to abuse a certain amount of like this sort of blind spot that comes with things that we can't help, right. If, you know, a certain enterprise is only deployed to 60% of their endpoints or 80% of their endpoints, then you do have sort of this dark matter that comes with that other side of the house that's sort of unprotected, uninspected. And when they accidentally tripped onto a machine that had our product on it, that's when Aleks latched onto it, and we started to figure out, oh. They've actually been hopping around the network very, very carefully trying to avoid us. So there's definitely a certain -- you know, there's a reason that this is such a, you know, complex endeavor, interesting endeavor. And it does go hand in hand with the fact that you're dealing with sort of a sentient enemy that is adapting to what you do just as much as we're adapting to them.

Dave Bittner: Does that imply that there's a certain amount of scouting that they're doing ahead of time?

Juan Andrés Guerrero-Saade: Absolutely. There's a -- there's a great deal of scouting.

Aleksandar Milenkoski: Which we also observed, at least on those endpoints where we had telemetry on about the activities but definitely also saw reconnaissance activities as well, right. So this was mainly for two purposes, and the second we can only assume, right? The first was to what workstation they should move so they should deploy their backdoors. And the second one was probably involving scouting for -- for defensive mechanisms, right, including our own agent.

Dave Bittner: So what are your recommendations here? I mean, for organizations who think they may be of interest to this group, what are the best practices here to keep them out?

Aleksandar Milenkoski: So I will start relating back to the general suspect initial intrusion backdoors and JAGS probably wrap it up. So, at this point, when we're still trying to determine the exact initial intrusion backdoors, I would say protection measures against the usual suspects come to mind. This also relates to what we usually observe if we take and survey the whole threat landscape targeting telcos. So this is mostly phishing and social engineering awareness, of course, including proper examination of emails that originate from untrusted sources; vulnerability management, of course, especially on internet exposed services or devices; deployment of modern detection systems. Subjects also mentioned these characteristics of the -- characteristic of the Sandman cluster where they were hopping on workstations where our system was not present on; and deployment of the system, especially on mission critical endpoints so endpoints that store sensitive data.

Juan Andrés Guerrero-Saade: You know, there's recommendations that we can and should give for the telco space and sort of the gov space, in particular, as -- as Aleks mentioned. But I'd also like to point out that part of the pain and difficulty of seeing threat actors be successful on telcos is that the implication here is that these are enabler operations. They are meant to enable further collection downstream to other customers, to folks, you know, using phones, using internet being provided by these different, you know, telco providers. And the difficulty there is, yeah, we can talk about how a telco could defend itself better. But we also have this general concern that comes with the fact that any aspect of security or privacy that is contingent on the good defense of a telco is in many ways sort of defeated categorically by the lack of defense within some of these organizations or, you know, just by falling prey. In some ways, this happens to everybody. In particular, what I have in mind is, you know, we're talking about super advanced very capable threat actors going into telcos and doing special things. But I think we've also -- we're also living at a time where you have actors like Lapus$ or Star Fraud or the comm in general where I don't think anybody would put them in a high-level of sophistication, but they're also proving just how porous the telco space can be. So when you're talking about giving recommendations for folks in general, I mean, the one thing that we need to desperately run away from is two factor via SMS. Anything that has to do with account verification that requires entirely on a phone number is something that -- that, you know, we just have to abandon categorically at this point and move to more robust solutions. And then we can have more interesting conversations about what's happening with espionage enabler opposite telcos.

Dave Bittner: Our thanks to Aleksandar Milenkoski and Juan Andrés Guerrero-Saade from SentinelOne's SentinelLabs for joining us. The research is titled Sandman APT, a Mystery Group Targeting Telcos With a LuaJIT Toolkit. We'll have a link in the show notes. The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.