KEYPLUG Backdoor Linked to Sandman APT: Is This the Newest State-Sponsored Attack from China?

Cybersecurity researchers discovered that KEYPLUG has shared practices with LuaDream malware.

A collaborative effort from SentinelOne, PwC, and the Microsoft Threat Intelligence team has exposed interconnected tactics between the elusive Sandman advanced persistent threat (APT) and the China-based threat cluster utilizing the KEYPLUG backdoor.

Shared Networks and Coexistence of LuaDream and KEYPLUG

KEYPLUG Backdoor Linked to Sandman APT: Is This The Newest State-Sponsored Attack From China?
First discovered in September 2023 by SentinelOne, KEYPLUG is found to be closely tied to Chinese state-sponsored hackers who are responsible for the launch of another threat dubbed Sandman. Christian Wiediger from Unsplash

As initially reported by SentinelOne, the assessment uncovers a strategic alignment as the Lua-based malware, LuaDream, employed by Sandman, and the KEYPLUG backdoor are found cohabiting in the same victim networks. According to the cybersecurity researchers, the tactical convergence prompts a closer examination of their overlapping activities.

Read also:  

Tracking Storm-0866 and Red Dev 40

Microsoft and PwC are actively monitoring this dynamic threat landscape under the aliases Storm-0866 and Red Dev 40, respectively.

Storm-0866, also known as Red Dev 40, signifies an emerging APT cluster targeting entities in the Middle East and South Asia, with a primary focus on telecommunication providers and government entities.

"Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions. The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators," SentinelOne and its partners said in a report shared with The Hacker News.

A critical component of Storm-0866's arsenal is the notorious KEYPLUG backdoor. Initially disclosed by Mandiant, owned by Google, KEYPLUG was linked to the China-based APT41 (aka Brass Typhoon or Barium), implicated in infiltrating six U.S. state government networks between May 2021 and February 2022.

LuaDream and KEYPLUG's Practices

A comprehensive examination by the collaborating entities reveals shared development indicators, infrastructure control practices, and overlaps in functionalities and design between LuaDream and KEYPLUG. This suggests a commonality in functional requirements and operational coordination by the threat actors.

Common C2 Domains and Protocols

The interconnected nature of the threats becomes evident through shared command-and-control (C2) domains such as "dan.det-ploshadka[.]com" and "ssl.e-novauto[.]com," utilized by both LuaDream and KEYPLUG. Furthermore, both implants support QUIC and WebSocket protocols for C2 communications, indicating coordinated efforts and potential shared resources.

The adoption of Lua, an uncommon programming language, serves as a strategic move by threat actors to evade detection. This trend, observed in both nation-state aligned and cybercrime-focused activities, showcases a deliberate effort to persist in victim environments using less conventional languages like DLang and Nim.

Implications for the Chinese Threat Landscape

The intricate connections between Sandman APT, leveraging LuaDream, and the China-based adversaries wielding the KEYPLUG backdoor highlight the complexity of the Chinese threat landscape.

This only means that cyber espionage continues to evolve along with the way cybersecurity experts detect malware and other online security threats. Staying vigilant and knowing the most effective security practices can save you time and resources from dealing with cybercriminals.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics