An unnamed European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East were targeted by two previously undocumented backdoors tracked as LunarWeb and LunarMail.
ESET, which identified the activity, attributed it with medium confidence to the Russia-aligned cyberespionage group Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous Bear), citing tactical overlaps with prior campaigns identified as orchestrated by the group.
“LunarWeb, deployed on servers, uses HTTP(S) for its C&C [command-and-control] communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications,” security researcher Filip Jurčacko said.
An analysis of the Lunar artifacts shows that they may have been used in targeted attacks since early 2020, or even earlier.
Turla, assessed to be affiliated with Russia’s Federal Security Service (FSB), is an advanced persistent threat (APT) that’s known to be active since at least 1996. It has a track record of targeting a range of industries spanning government, embassies, military, education, research, and pharmaceutical sectors.
Earlier this year, the cyber espionage group was discovered attacking Polish organizations to distribute a backdoor named TinyTurla-NG (TTNG).
“The Turla group is a persistent adversary with a long history of activities,” Trend Micro noted in an analysis of the threat actor’s evolving toolset. “Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives.”
The exact intrusion vector used to breach the MFA is presently unknown, although it’s suspected that it may have involved an element of spear-phishing and the exploitation of misconfigured Zabbix software.
The starting point of the attack chain pieced together by ESET commences with a compiled version of an ASP.NET web page that’s used as a conduit to decode two embedded blobs, which includes a loader, codenamed LunarLoader, and the LunarWeb backdoor.
Specifically, when the page is requested, it expects a password in a cookie named SMSKey that, if supplied, is used to derive a cryptographic key for decrypting the next-stage payloads.
“The attacker already had network access, used stolen credentials for lateral movement, and took careful steps to compromise the server without raising suspicion,” Jurčacko noted.
LunarMail, on the other hand, is propagated through a malicious Microsoft Word document sent via a spear-phishing email, which, in turn, packs LunarLoader and the backdoor.
LunarWeb is equipped to gather system information and parse commands inside JPG and GIF image files sent from the C&C server, following which the results are exfiltrated back in a compressed and encrypted format. It further attempts to blend in by masquerading its network traffic as legitimate-looking (e.g., Windows update).
The C&C instructions allow the backdoor to run shell and PowerShell commands, execute Lua code, read/write files, and archive specified paths. The second implant, LunarMail, supports similar capabilities, but notably piggybacks on Outlook and uses email for communication with its C&C server by looking for certain messaging with PNG attachments.
Some of the other commands specific to LunarMail include the ability to set an Outlook profile to use for C&C, create arbitrary processes, and take screenshots. The execution outputs are then embedded in a PNG image or PDF document prior to exfiltrating them as attachments in emails to an attacker-controlled inbox.
“This backdoor is designed to be deployed on user workstations, not servers — because it is persisted and intended to run as an Outlook add-in,” Jurčacko said. “LunarMail shares ideas of its operation with LightNeuron, another Turla backdoor that uses email messages for C&C purposes.”