Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the victim network alongside each other.
Microsoft, SentinelLabs and PwC have collectively alerted consumers and businesses to the fact that threat actors who were allegedly linked to Chinese cybercriminals have deployed an advanced persistent threat referred to as Sandman to infiltrate IT environments with malware.
An expert at SentinelOne, Aleksandar Milenkoski, said that Sandman has now been linked to STORM-0866/Red Dev 40, a threat actor aligned with the Chinese government's national interests, meaning that STORM-0866/Red Dev 40 targets Chinese companies.
Following a series of cyberattacks carried out on telcos across the Middle East, Western Europe, and South Asia, Sandman was first identified in August.
On the other hand, Storm-0866/Red Dev 40 refers to a cluster of APTs primarily targeting entities located in the Middle East and South Asia, such as telecommunication providers and government agencies, that represent an emerging APT network.
Storm-0866 has several powerful tools at his disposal, one of which is KEYPLUG. This backdoor was first exposed by Google-owned Mandiant in the context of attacks conducted by the Chinese-based APT41 actor between May 2021 and February 2022 in which he infiltrated six state government systems.
As part of its report, Mandiant informed the public that they first discovered the Keyplug backdoor in March 2022, which was used by a known Chinese group, APT41.
Microsoft and PwC teams discovered that the Keyplug backdoor was passed around to multiple other Chinese-based threat groups, according to the report.
Researchers believe that the new obfuscation tools provided by Keyplug malware give the group a new advantage compared to previous versions.
According to the researchers, when they analyzed both the C2 configuration and the LuaDream and Keyplug malware strains, the overlaps were overwhelming, which can be interpreted as suggesting that their operators were seeking similar functional requirements.
To grow, and effectively collaborate between the increasing number of Chinese APT groups, the report concluded, cyber security community members must share similar knowledge.
There is a great deal of certainty that the constituent threat actors will continue to cooperate and coordinate, exploring new ways to enhance the functionality, flexibility, and stealthiness of their malware to further enhance the threat actors' threat.
An influential example of how this can be applied is the adoption by developers of the Lua development paradigm.
Overcoming the threat landscape requires a constant flow of information sharing between members of the threat intelligence research community.
A few instances of espionage-motivated APTs historically considered Western or Western-aligned have been associated with Lua-based modular backdoors, such as LuaDream.
This has proven to be a very rare occurrence and is often associated with APTs that are espionage-motivated.
In our research on Sandman, we found that a broader set of cyberespionage threat actors are utilizing the Lua development paradigm because of its modularity, portability, and simplicity.
This Cyber News was published on www.cysecurity.news. Publication date: Thu, 14 Dec 2023 13:13:20 +0000