Researchers Uncover Hidden Link to China-Based KEYPLUG Backdoor Sandman APT

December 11, 2023NewsroomThreat Intelligence / Cyber ​​Attack

Discovered the tactics and targeting between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster known to use the backdoor known as KEYPLUG.

The assessment came jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the enemy’s Lua-based malware LuaDream and KEYPLUG are determined to reside “in the same networks as the victim.

Microsoft and PwC tracked the activity under the names Storm-0866 and Red Dev 40, respectively.

“Sandman and Storm-0866/Red Dev 40 share control over infrastructure and management practices, including host provider choices, and domain naming conventions, the companies SAYS in a report shared by The Hacker News.

“The LuaDream and KEYPLUG implementations reveal signs of shared development practices and overlap in functionality and design, suggesting shared functional requirements for their operators.”


Cracking the Code: Learn How Cyber ​​Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join now

Sandman was first exposed by SentinelOne in September 2023, detailing its attacks on telecommunication providers in the Middle East, Western Europe, and South Asia using a novel implant codenamed LuaDream. The intrusions were recorded in August 2023.

Storm-0866/Red Dev 40, on the other hand, refers to an emerging APT cluster that primarily targets entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities.

One of the key tools in Storm-0866’s arsenal is KEYPLUG, a backdoor first exposed by Google-owned Mandiant as part of attacks mounted by actor APT41 (aka Brass Typhoon or Barium) based in China to infiltrate six US state government networks. between May 2021 and February 2022.

In a report published earlier this March, Recorded Future said the use of KEYPLUG by a Chinese state-sponsored threat activity group it tracked as RedGolf, which it said “closely overlaps of threat activity reported under the aliases of APT41 / BARIUM.”

“A close examination of C2’s implementation and infrastructure of these distinct malware strains revealed signs of shared development as well as control infrastructure and management practices, and some overlapping functionality and design, suggesting the shared functional requirements of their operators,” the companies pointed out. .

One of the notable overlaps are two LuaDream C2 domains named “dan.det-ploshadka(.)com” and “ssl.e-novauto(.)com,” which are also used as KEYPLUG C2 servers and to which Storm is tied -0866.

Another interesting commonality between LuaDream and KEYPLUG is that the implants support QUIC and WebSocket protocols for C2 communications, indicating common requirements and the likely presence of a digital quartermaster behind the coordination. .


“The order in which LuaDream and KEYPLUG evaluate the configured protocol of HTTP, TCP, WebSocket, and QUIC is the same: HTTP, TCP, WebSocket, and QUIC in that order,” the researchers said. “The high-level implementation of LuaDream and KEYPLUG processes is very similar.”

The adoption of Lua is another sign that threat actors, both aligned with the nation-state and focused on cybercrime, are increasingly turning their sights on unusual programming languages ​​such as DLang and Nim to avoid detection and to keep the victim around for long periods of time.

Lua-based malware, in particular, has only been found a few times in the wild in the last decade. These include Flame, Animal Farm (aka SNOWGLOBE), and Project Sauron.

“There is strong overlap in the operational infrastructure, targeting, and TTPs associated with the Sandman APT with China-based adversaries using the KEYPLUG backdoor, specifically STORM-0866 / Red Dev 40,” said researchers. “It highlights the complex nature of China’s threat landscape.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment