Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor
11.12.23 APT The Hacker News
Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that's known to use a backdoor known as KEYPLUG.
The assessment comes jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the adversary's Lua-based malware LuaDream and KEYPLUG have been determined to cohabit "in the same victim networks.
Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively.
"Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions, the companies said in a report shared with The Hacker News.
"The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators."
Sandman was first exposed by SentinelOne in September 2023, detailing its attacks on telecommunication providers in the Middle East, Western Europe, and South Asia using a novel implant codenamed LuaDream. The intrusions were recorded in August 2023.
Storm-0866/Red Dev 40, on the other hand, refers to an emerging APT cluster primarily singling out entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities.
One of the key tools in Storm-0866's arsenal is KEYPLUG, a backdoor that was first disclosed by Google-owned Mandiant as part of attacks mounted by the China-based APT41 (aka Brass Typhoon or Barium) actor to infiltrate six U.S. state government networks between May 2021 and February 2022.
In a report published earlier this March, Recorded Future attributed the use of KEYPLUG to a Chinese state-sponsored threat activity group it's tracking as RedGolf, which it said "closely overlaps with threat activity reported under the aliases of APT41/BARIUM."
"A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators," the companies pointed out.
One of the notable overlaps is are two LuaDream C2 domains named "dan.det-ploshadka[.]com" and "ssl.e-novauto[.]com," which has also been put to use as a KEYPLUG C2 server and which has been tied to Storm-0866.
Another interesting commonality between LuaDream and KEYPLUG is that both the implants support QUIC and WebSocket protocols for C2 communications, indicating common requirements and the likely presence of a digital quartermaster behind the coordination.
"The order in which LuaDream and KEYPLUG evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order," the researchers said. "The high-level execution flows of LuaDream and KEYPLUG are very similar."
The adoption of Lua is another sign that threat actors, both nation-state aligned and cybercrime-focused, are increasingly setting their sights on uncommon programming languages like DLang and Nim to evade detection and persist in victim environments for extended periods of time.
Lua-based malware, in particular, have been spotted only a handful of times in the wild over the past decade. This includes Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.
"There are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, STORM-0866/Red Dev 40 in particular," the researchers said. "This highlights the complex nature of the Chinese threat landscape."