LuaDream Malware Attributed to Sandman Threat Actor

A previously unknown threat actor named Sandman has been linked to a series of cyberattacks targeting telecommunications providers in the Middle East, Western Europe, and the South Asian subcontinent. Notably, these intrusions utilize a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT to deploy a new implant called LuaDream.

According to an analysis conducted by SentinelOne security researcher Aleksandar Milenkoski in collaboration with QGroup, the observed activities are marked by strategic lateral movement towards specific targeted workstations and minimal engagement. This suggests a deliberate approach aimed at achieving objectives while minimizing the risk of detection. The implementation of LuaDream indicates a well-executed, actively developed project of significant scope.

Sandman - a new entity on the infosec landscape

Despite diligent investigation, there is no known correlation between this campaign and any known threat actor or group. However, the available evidence suggests a cyber espionage adversary with a preference for targeting the telecommunications sector across different regions. These attacks were initially detected over a span of several weeks in August 2023.

Milenkoski further explained that the LuaDream staging chain is designed to avoid detection and hinder analysis by directly loading the malware into memory. This is achieved by leveraging the LuaJIT platform, a just-in-time compiler for Lua, making it challenging to detect malicious Lua script code.

The presence of string artifacts in the implant's source code dating back to June 3, 2022, suggests that the preparatory work for LuaDream has been ongoing for over a year.

It is suspected that LuaDream is a variant of a new malware strain referred to as DreamLand. According to security researchers, DreamLand utilizes the Lua scripting language together with its just-in-time compiler to run malicious code that is difficult to detect.