An unnamed European Ministry of Overseas Affairs (MFA) and its 3 diplomatic missions in the Middle East had been specific by two earlier undocumented backdoors tracked as LunarWeb and LunarMail.
ESET, which identified the action, attributed it with medium self-assurance to the Russia-aligned cyberespionage group Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous Bear), citing tactical overlaps with prior strategies determined as orchestrated by the team.
“LunarWeb, deployed on servers, works by using HTTP(S) for its C&C [command-and-control] communications and mimics legitimate requests, although LunarMail, deployed on workstations, is persisted as an Outlook incorporate-in and employs email messages for its C&C communications,” security researcher Filip Jurčacko reported.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
An analysis of the Lunar artifacts demonstrates that they could have been used in targeted attacks since early 2020, or even earlier.
Turla, assessed to be affiliated with Russia’s Federal Security Support (FSB), is an state-of-the-art persistent threat (APT) that is regarded to be active considering the fact that at the very least 1996. It has a observe document of targeting a vary of industries spanning authorities, embassies, navy, instruction, study, and pharmaceutical sectors.
Before this year, the cyber espionage team was uncovered attacking Polish companies to distribute a backdoor named TinyTurla-NG (TTNG).
“The Turla group is a persistent adversary with a long background of routines,” Pattern Micro mentioned in an analysis of the threat actor’s evolving toolset. “Their origins, methods, and targets all point out a effectively-funded operation with very experienced operatives.”
The precise intrusion vector employed to breach the MFA is presently unidentified, whilst it is really suspected that it could have concerned an component of spear-phishing and the exploitation of misconfigured Zabbix computer software.
The beginning level of the attack chain pieced together by ESET commences with a compiled edition of an ASP.NET web website page that is utilized as a conduit to decode two embedded blobs, which involves a loader, codenamed LunarLoader, and the LunarWeb backdoor.
Specifically, when the website page is asked for, it expects a password in a cookie named SMSKey that, if provided, is made use of to derive a cryptographic essential for decrypting the following-stage payloads.
“The attacker already experienced network obtain, employed stolen qualifications for lateral motion, and took very careful techniques to compromise the server with out elevating suspicion,” Jurčacko pointed out.
LunarMail, on the other hand, is propagated by means of a destructive Microsoft Word document sent by using a spear-phishing email, which, in turn, packs LunarLoader and the backdoor.
LunarWeb is equipped to collect system info and parse instructions inside JPG and GIF graphic information sent from the C&C server, next which the effects are exfiltrated back in a compressed and encrypted format. It additional tries to blend in by masquerading its network traffic as legit-looking (e.g., Windows update).
The C&C instructions enable the backdoor to run shell and PowerShell commands, execute Lua code, study/write documents, and archive specified paths. The 2nd implant, LunarMail, supports very similar abilities, but notably piggybacks on Outlook and uses email for interaction with its C&C server by wanting for specific messaging with PNG attachments.
Some of the other commands certain to LunarMail involve the ability to set an Outlook profile to use for C&C, create arbitrary processes, and just take screenshots. The execution outputs are then embedded in a PNG graphic or PDF doc prior to exfiltrating them as attachments in email messages to an attacker-controlled inbox.
“This backdoor is created to be deployed on consumer workstations, not servers — mainly because it is persisted and meant to operate as an Outlook increase-in,” Jurčacko claimed. “LunarMail shares thoughts of its operation with LightNeuron, yet another Turla backdoor that uses email messages for C&C needs.”
Located this post appealing? Observe us on Twitter and LinkedIn to study extra distinctive written content we submit.
Some parts of this report are sourced from:
thehackernews.com