An unnamed European Ministry of International Affairs (MFA) and its three diplomatic missions within the Center East have been focused by two beforehand undocumented backdoors tracked as LunarWeb and LunarMail.
ESET, which recognized the exercise, attributed it with medium confidence to the Russia-aligned cyberespionage group Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous Bear), citing tactical overlaps with prior campaigns recognized as orchestrated by the group.
“LunarWeb, deployed on servers, uses HTTP(S) for its C&C [command-and-control] communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications,” safety researcher Filip Jurčacko stated.
An evaluation of the Lunar artifacts exhibits that they could have been utilized in focused assaults since early 2020, and even earlier.
Turla, assessed to be affiliated with Russia’s Federal Safety Service (FSB), is a complicated persistent menace (APT) that is identified to be lively since at the least 1996. It has a observe report of focusing on a variety of industries spanning authorities, embassies, navy, schooling, analysis, and pharmaceutical sectors.
Earlier this 12 months, the cyber espionage group was found attacking Polish organizations to distribute a backdoor named TinyTurla-NG (TTNG).
“The Turla group is a persistent adversary with a long history of activities,” Pattern Micro famous in an evaluation of the menace actor’s evolving toolset. “Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives.”
The precise intrusion vector used to breach the MFA is presently unknown, though it is suspected that it could have concerned a component of spear-phishing and the exploitation of misconfigured Zabbix software program.
The place to begin of the assault chain pieced collectively by ESET commences with a compiled model of an ASP.NET internet web page that is used as a conduit to decode two embedded blobs, which features a loader, codenamed LunarLoader, and the LunarWeb backdoor.
Particularly, when the web page is requested, it expects a password in a cookie named SMSKey that, if provided, is used to derive a cryptographic key for decrypting the next-stage payloads.
“The attacker already had network access, used stolen credentials for lateral movement, and took careful steps to compromise the server without raising suspicion,” Jurčacko famous.
LunarMail, however, is propagated by a malicious Microsoft Phrase doc despatched by way of a spear-phishing e mail, which, in flip, packs LunarLoader and the backdoor.
LunarWeb is provided to assemble system data and parse instructions inside JPG and GIF picture recordsdata despatched from the C&C server, following which the outcomes are exfiltrated again in a compressed and encrypted format. It additional makes an attempt to mix in by masquerading its community visitors as legitimate-looking (e.g., Home windows replace).
The C&C directions permit the backdoor to run shell and PowerShell instructions, execute Lua code, learn/write recordsdata, and archive specified paths. The second implant, LunarMail, helps comparable capabilities, however notably piggybacks on Outlook and makes use of e mail for communication with its C&C server by on the lookout for sure messaging with PNG attachments.
A few of the different instructions particular to LunarMail embrace the flexibility to set an Outlook profile to make use of for C&C, create arbitrary processes, and take screenshots. The execution outputs are then embedded in a PNG picture or PDF doc previous to exfiltrating them as attachments in emails to an attacker-controlled inbox.
“This backdoor is designed to be deployed on user workstations, not servers — because it is persisted and intended to run as an Outlook add-in,” Jurčacko stated. “LunarMail shares concepts of its operation with LightNeuron, one other Turla backdoor that makes use of e mail messages for C&C functions.”
