- ESET Research discovered two previously unknown backdoors —
which we named LunarWeb and LunarMail — compromising a European
ministry of foreign affairs and its diplomatic missions abroad,
primarily in the Middle East.
- ESET researchers attribute these compromises with medium
confidence to the infamous Russia-aligned cyberespionage group Turla. The
aim of the campaign is cyberespionage.
- Turla, also known as Snake, has been active since at least
2004, possibly even dating back to the late 1990s. It is believed
to be part of the Russian FSB.
- ESET believes that the Lunar toolset has been in use since at
least 2020.
- Both backdoors employ steganography, a technique in which
commands are hidden in images to avoid detection.
BRATISLAVA, Slovakia, May 15, 2024
/PRNewswire/ -- ESET Research discovered two previously unknown
backdoors — which we named LunarWeb and LunarMail — compromising a
European ministry of foreign affairs and its diplomatic missions
abroad, primarily in the Middle
East. ESET believes that the Lunar toolset has been used
since at least 2020 and, given the similarities between the
tactics, techniques, and procedures and past activities, ESET
researchers attribute these compromises with medium confidence to
the infamous Russia-aligned
cyberespionage group Turla. The aim of the campaign is
cyberespionage.
The ESET investigation began with the detection of a loader
deployed on an unidentified server, which decrypts and loads a
payload from a file. This led ESET researchers to the discovery of
a previously unknown backdoor, which ESET named LunarWeb.
Subsequently, a similar chain with LunarWeb deployed at a
diplomatic mission was detected. Notably, the attacker also
included a second backdoor — which ESET named LunarMail — that uses
a different method for command and control (C&C)
communications. During another attack, ESET observed simultaneous
deployments of a chain with LunarWeb at three diplomatic missions
of a European country in the Middle
East, occurring within minutes of each other. The attacker
probably had prior access to the domain controller of the ministry
of foreign affairs and utilized it for lateral movement to machines
of related institutions in the same network.
LunarWeb, deployed on servers, uses HTTP(S) for its C&C
communications and mimics legitimate requests, while LunarMail,
deployed on workstations, persists as an Outlook add-in and uses
email messages for its C&C communications. Both backdoors
employ steganography, a technique in which commands are hidden in
images to avoid detection. Their loaders can exist in various
forms, including trojanized open-source software, demonstrating the
advanced techniques used by the attackers.
"We observed varying degrees of sophistication in the
compromises — for example, the careful installation on the
compromised server to avoid scanning by security software
contrasted with coding errors and different coding styles of the
backdoors. This suggests multiple individuals were probably
involved in the development and operation of these tools," says
ESET researcher Filip Jurčacko, who discovered the Lunar
toolset.
Recovered installation-related components and attacker activity
suggest that possible initial compromise happened via spearphishing
and abuse of misconfigured network and application monitoring
software Zabbix. Furthermore, the attacker already had network
access, used stolen credentials for lateral movement, and took
careful steps to compromise the server without raising suspicion.
In another compromise, researchers found an older malicious Word
document, likely from a spearphishing email.
LunarWeb collects and exfiltrates information from the system,
such as computer and operating system information, a list of
running processes, a list of services, and a list of installed
security products. LunarWeb supports common backdoor capabilities,
including file and process operations, and running shell commands.
On first run, the LunarMail backdoor collects information from
recipients' sent email messages (email addresses). In terms of
command capabilities, LunarMail is simpler and features a subset of
the commands found in LunarWeb. It can write a file, create a new
process, take a screenshot, and modify the C&C communication
email address. Both backdoors have the unusual capability of being
able to execute Lua scripts.
Turla, also known as Snake, has been active since at least 2004,
possibly even dating back to the late 1990s. Believed to be part of
the Russian FSB, Turla mainly targets high-profile entities such as
governments and diplomatic organizations in Europe, Central
Asia, and the Middle East.
The group is notorious for breaching major organizations, including
the US Department of Defense in 2008 and the Swiss defense company
RUAG in 2014.
For more technical information about the Lunar
toolset, read the blogpost "To the Moon and back(doors): Lunar
landing in diplomatic missions." Make sure to follow ESET Research
on Twitter (today known as X) for the latest news.
About ESET
ESET® provides cutting-edge digital security to
prevent attacks before they happen. By combining the power of AI
and human expertise, ESET stays ahead of known and emerging
cyberthreats — securing businesses, critical infrastructure, and
individuals. Whether it's endpoint, cloud, or mobile protection,
our AI-native, cloud-first solutions and services remain highly
effective and easy to use. ESET technology includes robust
detection and response, ultra-secure encryption, and multifactor
authentication. With 24/7 real-time defense and strong local
support, we keep users safe and businesses running without
interruption. An ever-evolving digital landscape demands a
progressive approach to security. ESET is committed to world-class
research and powerful threat intelligence, backed by R&D
centers and a strong global partner network. For more information,
visit www.eset.com or follow us on LinkedIn, Facebook, and
X.
View original
content:https://www.prnewswire.com/news-releases/eset-research-russia-aligned-turla-group-likely-uses-lunar-arsenal-to-target--spy-on-european-diplomats-302146634.html
SOURCE ESET