CERT-In issues alert against new info-stealing malware

India’s CERT-In has issued an alert for a newly surfaced info-stealing malware, named LuaDream. The malware was being used by a previously unknown threat actor tagged as Sandman, and is capable of user data collection, including IP addresses, OS information and more.  

The malware targets the telecommunications sector in various regions, including Middle East, Western Europe, and South Asia. The malware posed significant risks including potential data theft to launch further attacks.   

CERT-In shared in a blog post that LuaDream is a multi-component backdoor malware with capabilities to manage plugins, exfiltrate system data and steal user data through multiple protocols. The operational style of Sandman is to evade detection by keeping a low profile while moving laterally within breached systems to maximise its cyberespionage operations. 

SentinelLabs said in a blog post that threat actors first gain access to a corporate network using stolen administrative credentials, from the use of “Pass-the-hash” attacks to authenticate to remote services and services by extracting and reusing NTML hashes stored in memory. 

Threat actors are known to use malware to steal admin credentials to gain access to the network of the target organization. From here threat actors collect data and manage plugins for execution on target systems that pose a range of potential adverse outcomes. The plugins can reportedly be used by threat actors for the ability to execute commands on the compromised device.