SentinelLabs has observed a new cluster of threat activity by an unknown threat actor they have dubbed Sandman. Sandman primarily targets telecommunications providers in the Middle East, Western Europe and the South Asian subcontinent.
The activities are characterized by strategic lateral movements and minimal engagements, presumably to minimize the risk of detection.
Sandman has deployed a new modular backdoor using the LuaJIT platform, which is relatively rare in the threat landscape. They refer to this malware as LuaDream. Possible IOCs:
SHA1 > File name
|1cd0a3dd6354a3d4a29226f5580f8a51ec3837d4 |fax.dat|
|27894955aaf082a606337ebe29d263263be52154 |fax.Application|
|5302c39764922f17e4bc14f589fa45408f8a5089 |ualapi.dll|
|77e00e3067f23df10196412f231e80cec41c5253 |fax.cache|
|b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 |UpdateCheck.dll|
|fb1c6a23e8e0693194a365619b388b09155c2183 |updater.ver|
|ff2802cdbc40d2ef3585357b7e6947d42b875884 |fax.module|
LuaDream Folder File paths
%ProgramData%\FaxConfig
%ProgramData%\FaxLib
C2 Server Domains
mode.encagil[.]com
ssl.explorecell[.]com
Does InsightIDR have a detection rule for this or how to write a Rule considering the above IOCs?