The emergence of the Sandman Advanced Persistent Threat (APT) marks a significant shift in the landscape of cyber espionage. A recent analysis by SentinelLabs, in collaboration with Microsoft and PwC, sheds light on this threat, revealing its links to suspected China-based adversaries and their adoption of sophisticated cyber tools.
The Sandman APT's Connection to China-Based Threat Clusters
The Sandman APT is closely associated with known China-based threat clusters, particularly those using the KEYPLUG backdoor. This connection was jointly presented by PwC and Microsoft at Labscon 2023, identifying the cluster as STORM-0866/Red Dev 40. The Sandman's use of Lua-based malware, LuaDream, alongside the KEYPLUG backdoor, and their co-existence in the same victim environments, points to a shared origin or collaboration between these groups. Additionally, both Sandman and STORM-0866/Red Dev 40 exhibit similar infrastructure control and management practices, including choices of hosting providers and domain naming conventions.
Targeting Patterns and Operational Similarities
The targeting patterns of the Sandman APT and STORM-0866/Red Dev 40 reveal a focus on entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities. This alignment in victimology underscores the broader collaboration and coordination within the China-based threat landscape. Such cooperation is further evidenced by shared operational practices and the use of cloud-based reverse proxy infrastructure for C2 (Command and Control) servers, which enhances operational security by concealing the true hosting locations of these servers.
Sandman and STORM-0866/Red Dev 40 Infrastructure Analysis
A detailed analysis of the Sandman and STORM-0866/Red Dev 40 infrastructure reveals the use of overlapping SSL certificates across various domains and IP addresses. This includes the use of certificates for both the LuaDream C2 domain and domains associated with KEYPLUG C2 servers. Such overlap in infrastructure, particularly in SSL certificate usage, indicates a strong likelihood of collaboration or shared resources between these two APT clusters.
LuaDream and KEYPLUG: Distinct Yet Related Malware Strains
While LuaDream and KEYPLUG are distinct malware strains, with KEYPLUG implemented in C++ and LuaDream primarily in Lua, there are indicators of shared development practices. These include overlaps in functionalities and design, suggesting that the operators of these malware strains have shared functional requirements. Both strains support multiple protocols for C2 communication, including HTTP, TCP, WebSocket, and QUIC, and exhibit similar execution flows and data management processes. These similarities point to a potential shared development background, which is not uncommon in the Chinese malware landscape.
Concluding Thoughts: The Evolving Chinese Threat Landscape
The emergence of the Sandman APT and its association with the KEYPLUG backdoor and STORM-0866/Red Dev 40 is a stark reminder of the complex and evolving nature of the Chinese threat landscape. The adoption of Lua, a development paradigm historically linked to Western or Western-aligned actors, by China-based adversaries highlights their ongoing efforts to enhance the functionality, flexibility, and stealthiness of their malware. This development stresses the need for continuous collaboration and information sharing within the threat intelligence community to effectively navigate and counter these evolving threats.