Rewterz Threat Alert – Sandman APT Linked to China-Based KEYPLUG Backdoor– Active IOCs

Severity

High

Analysis Summary

A joint assessment by researchers reveals that there are tactical overlaps between the advanced persistent threat (APT) group dubbed Sandman and a China-based threat cluster that uses a backdoor called KEYPLUG. It is also discovered that the adversary’s malware LuaDream and KEYPLUG both coexist in the same victim networks. Microsoft is tracking the activity as Storm-0866.

The report reads, “The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.”

Sandman was first discovered in September 2023 when researchers exposed details about its attacks on telecommunication services in the Middle East, South Asia, and Western Europe by utilizing a new implant called LuaDream. Meanwhile, Storm-0866 is an emerging APT cluster that mainly targets organizations in the Middle East and the South Asian subcontinent, which also includes telecommunication providers as well as government organizations.

One of the main tools that Storm-0866 uses is a backdoor called KEYPLUG that was first disclosed by Google’s researchers as part of the attacks launched by the China-based APT41 (aka Brass Typhoon or Barium) in a campaign to infiltrate six U.S. state government networks during May 2021 and February 2022. Earlier this March, cybersecurity analysts linked the use of KEYPLUG to a Chinese state-backed threat group tracked as RedGolf, which seems to overlap with the malicious activity under the aliases of APT41.

When the implementation and the C2 infrastructure of these malware strains were closely examined, it showed evidence of shared development, management practices, and infrastructure control as well as some close overlaps in design and functionalities that highly suggested shared functional requirements between their operators. One of the most noticeable similarities is a pair of LuaDream C2 domains being used as KEYPLUG C2. Both implants also support QUIC and WebSocket protocols for C2 communications.

Adopting Lua is a sign that cybercriminals are starting to increasingly make use of uncommon programming languages like Nim and Dlang as a way to evade detection and make it difficult to analyze, and in turn, remain persistent in target environments for a long time. This is evident by the fact that malware based on Lua has been seen in the wild only a couple of times within the past decade, like Animal Farm (aka SNOWGLOBE), Flame, and Project Sauron.

Impact

• Cyber Espionage
• Exposure to Sensitive Data

Indicators of Compromise

Domain Name

• mode.encagil.com
• ssl.explorecell.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Implement robust network monitoring and intrusion detection systems to detect and respond to any unauthorized or suspicious activities. Regularly review logs and monitor network traffic for signs of further compromise.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by different types of malware.
• Strengthen supply chain security practices to prevent similar incidents in the future. Conduct thorough vetting of third-party software and applications before deployment, and establish processes for verifying the integrity of software updates and patches.