Freely subscribe to our NEWSLETTER

Key findings:
• The Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 – STORM-0866/Red Dev 40
• The Sandman’s Lua-based malware LuaDream and the KEYPLUG backdoor were observed co-existing in the same victim environments
• Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions
• The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators
• The use of the Lua development paradigm in the cyberespionage domain, historically associated with actors considered Western or Western-aligned, is likely being adopted by a broader range of adversaries, including those with ties to China

Microsoft and PwC have subsequently identified at least three other developing clusters involving KEYPLUG, including STORM-0866/Red Dev 40. Their research, making the case that KEYPLUG is likely shared among multiple suspected China-based groups, was presented at LabsCon 2023. They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG C2 communication, and a higher sense of operational security, such as relying on Cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers.
SentinelLabs and Microsoft have observed Sandman’s LuaDream and KEYPLUG implants cohabiting in the same victim environments, some of which are on the same endpoints. LuaDream is a maintained modular backdoor based on LuaJIT, with version 11.0.2.1.23.1 observed in March 2023 and version 12.0.2.5.23.29 observed in August 2023. In one instance, the KEYPLUG malware had been deployed approximately 3 months prior to LuaDream (in May 2023). LuaDream and KEYPLUG were active at the same time over approximately 2 weeks until both threats were remediated. During this time period, SentinelLabs did not observe any contestation or deconfliction activities by the LuaDream or KEYPLUG operators.
A close examination of the implementation and C2 infrastructure of these distinct malware strains revealed indicators of shared development as well as infrastructure control and management practices, and some overlaps in functionalities and design, suggesting shared functional requirements by their operators.
Conclusion
The findings presented by SentinelLabs are yet another showcase of the complex nature of the China-based threat landscape. As exemplified by Sandman and STORM-0866/Red Dev 40, this landscape is marked by substantial cooperation and coordination among its constituent threat groups, along with the possibility of third-party vendors supplying the operational teams with tooling. This makes accurate clustering challenging. Therefore, while acknowledging the association of Sandman with the suspected China-based adversaries using KEYPLUG, SentinelLabs continues to track Sandman as a distinct cluster until further conclusive information suggesting otherwise becomes available.
Lua-based modular backdoors, such as LuaDream, have been observed relatively rarely and often in the context of espionage-motivated APTs historically considered Western or Western-aligned. These Sandman findings indicate that the Lua development paradigm is being adopted by a broader set of cyberespionage threat actors for the modularity, portability, and simplicity that the Lua scripting language offers.