A collaborative effort from SentinelOne, PwC, and the Microsoft Threat Intelligence team has exposed interconnected tactics between the elusive Sandman advanced persistent threat (APT) and the China-based threat cluster utilizing the KEYPLUG backdoor.
Shared Networks and Coexistence of LuaDream and KEYPLUG
As initially reported by SentinelOne, the assessment uncovers a strategic alignment as the Lua-based malware, LuaDream, employed by Sandman, and the KEYPLUG backdoor are found cohabiting in the same victim networks. According to the cybersecurity researchers, the tactical convergence prompts a closer examination of their overlapping activities.
Tracking Storm-0866 and Red Dev 40
Microsoft and PwC are actively monitoring this dynamic threat landscape under the aliases Storm-0866 and Red Dev 40, respectively.
Storm-0866, also known as Red Dev 40, signifies an emerging APT cluster targeting entities in the Middle East and South Asia, with a primary focus on telecommunication providers and government entities.
"Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions. The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators," SentinelOne and its partners said in a report shared with The Hacker News.
A critical component of Storm-0866's arsenal is the notorious KEYPLUG backdoor. Initially disclosed by Mandiant, owned by Google, KEYPLUG was linked to the China-based APT41 (aka Brass Typhoon or Barium), implicated in infiltrating six U.S. state government networks between May 2021 and February 2022.
LuaDream and KEYPLUG's Practices
A comprehensive examination by the collaborating entities reveals shared development indicators, infrastructure control practices, and overlaps in functionalities and design between LuaDream and KEYPLUG. This suggests a commonality in functional requirements and operational coordination by the threat actors.
Common C2 Domains and Protocols
The interconnected nature of the threats becomes evident through shared command-and-control (C2) domains such as "dan.det-ploshadka[.]com" and "ssl.e-novauto[.]com," utilized by both LuaDream and KEYPLUG. Furthermore, both implants support QUIC and WebSocket protocols for C2 communications, indicating coordinated efforts and potential shared resources.
The adoption of Lua, an uncommon programming language, serves as a strategic move by threat actors to evade detection. This trend, observed in both nation-state aligned and cybercrime-focused activities, showcases a deliberate effort to persist in victim environments using less conventional languages like DLang and Nim.
Implications for the Chinese Threat Landscape
The intricate connections between Sandman APT, leveraging LuaDream, and the China-based adversaries wielding the KEYPLUG backdoor highlight the complexity of the Chinese threat landscape.
This only means that cyber espionage continues to evolve along with the way cybersecurity experts detect malware and other online security threats. Staying vigilant and knowing the most effective security practices can save you time and resources from dealing with cybercriminals.