Rare malware used to target telcos across three continents

News
By Sead Fadilpašić
published

It's not every day you see malware written in Lua

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

A rare piece of malware has been observed targeting telecommunications providers across three continents. 

Cybersecurity researchers from SentinelOne recently discovered a novel malware, dubbed LuaDream, on infrastructure belonging to telcos in the Middle East, Western Europe, and the South Asian subcontinent.

What makes this malware unique is that it leverages a just-in-time (JIT) compiler for the Lua programming language, dubbed LuaJIT. Lua is not exactly a popular choice among hackers, with malware written in this language only observed three times in the past ten years, The Hacker News reports. That includes Flame, Animal Farm (AKA SNOWGLOBE), and Project Sauron. 

Advanced threat actors

LuaDream is a modular, multi-protocol backdoor, containing 13 core and 21 support components, the researchers further explained. Its main goal is to steal system and user information and run additional plugins - including command execution.

Considering the victim organizations, the endpoints on which the malware had been found, the rare choice of programming language, and the type of data LuaDream looks to exfiltrate, the researchers speculate that the work is a “well-executed, maintained, and actively developed project of a considerable scale.” The attackers, who are unknown at the time, have gone to considerable lengths to stay out of sight, it was said. 

The malware was detected in August 2023, but the source code references a June 2022 date, leading the researchers to believe the malware was being prepared for more than a year. 

When it comes to the identity of the attackers, while inconclusive, some evidence points to Chinese actors. A separate SentinelOne report discusses “strategic” Chinese intrusions in Africa, some of which were against telecommunications providers. These were part of activity clusters named Backdoor Diplomacy, Earth Estries, and Operation Tainted Love. The latter - Operation Tainted Love - allegedly shares the same threat actor with LuaDream activity. 

"Targeted intrusions by the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love indicate a level intention directed at supporting [China in its efforts to] shape policies and narratives aligned with its geostrategic ambitions, establishing itself as a pivotal and defining force in Africa's digital evolution," security researcher Tom Hegel said.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.