Cyber Defense Advisors

Researchers Unmask Sandman APT’s Hidden Link to China-Based KEYPLUG Backdoor

Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that’s known to use a backdoor referred to as KEYPLUG.

The assessment comes jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the adversary’s Lua-based malware LuaDream and KEYPLUG have been determined to cohabit in the same victim networks.

Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively.

“Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions,” the companies said in a report shared with The Hacker News.

“The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators.”

UPCOMING WEBINAR

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

Sandman was first exposed by SentinelOne in September 2023, detailing its attacks on telecommunication providers in the Middle East, Western Europe, and South Asia using a novel implant codenamed LuaDream. The intrusions were recorded in August 2023.

Storm-0866/Red Dev 40, on the other hand, refers to an emerging APT cluster primarily singling out entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities.

One of the key tools in Storm-0866’s arsenal is KEYPLUG, a backdoor that was first disclosed by Google-owned Mandiant as part of attacks mounted by the China-based APT41 (aka Brass Typhoon or Barium) actor to infiltrate six U.S. state government networks between May 2021 and February 2022.

In a report published earlier this March, Recorded Future attributed the use of KEYPLUG to a Chinese state-sponsored threat activity group it’s tracking as RedGolf, which it said “closely overlaps with threat activity reported under the aliases of APT41/Barium.”

“A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators,” the companies pointed out.

One of the notable overlaps is a pair of LuaDream C2 domains named “dan.det-ploshadka[.]com” and “ssl.e-novauto[.]com,” which has also been put to use as a KEYPLUG C2 server and which has been tied to Storm-0866.

Another interesting commonality between LuaDream and KEYPLUG is that both the implants have similar high-level execution flows, and support QUIC and WebSocket protocols for C2 communications, with the order in which they evaluate the configured protocol among HTTP, TCP, WebSocket, and QUIC being the same: HTTP, TCP, WebSocket, and QUIC.

These functional correlations point to shared requirements by the backdoors’ operators and the likely presence of a digital quartermaster behind the coordination.

“We did not observe concrete technical indicators confirming the involvement of a shared vendor or digital quartermaster in the case of LuaDream and KEYPLUG,” Aleksandar Milenkoski, senior threat researcher at SentinelLabs, told The Hacker News.

“However, given the observed indicators of shared development practices, and overlaps in functionalities and design, we do not exclude that possibility. Noteworthy is the prevalence of similar cases within the Chinese threat landscape, indicating there could be established internal and/or external channels for supplying malware to operational teams.”

The adoption of Lua is another sign that threat actors, both nation-state aligned and cybercrime-focused, are increasingly setting their sights on uncommon programming languages like DLang and Nim to evade detection and persist in victim environments for extended periods of time.

Lua-based malware, in particular, has been spotted only a handful of times in the wild over the past decade. This includes Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.

“There are strong overlaps in operational infrastructure, targeting, and TTPs associating the Sandman APT with China-based adversaries using the KEYPLUG backdoor, Storm-0866/Red Dev 40 in particular,” the researchers said. “This highlights the complex nature of the Chinese threat landscape.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.