Sunday, May 19, 2024
HomeCyber SecurityTurla Group Deploys LunarWeb and LunarMail Backdoors in Diplomatic Missions

Turla Group Deploys LunarWeb and LunarMail Backdoors in Diplomatic Missions

LunarWeb and LunarMail

An unnamed European Ministry of Overseas Affairs (MFA) and its three diplomatic missions within the Center East had been focused by two beforehand undocumented backdoors tracked as LunarWeb and LunarMail.

ESET, which recognized the exercise, attributed it with medium confidence to the Russia-aligned cyberespionage group Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous Bear), citing tactical overlaps with prior campaigns recognized as orchestrated by the group.

“LunarWeb, deployed on servers, makes use of HTTP(S) for its C&C [command-and-control] communications and mimics respectable requests, whereas LunarMail, deployed on workstations, is endured as an Outlook add-in and makes use of electronic mail messages for its C&C communications,” safety researcher Filip Jurčacko stated.

An evaluation of the Lunar artifacts exhibits that they might have been utilized in focused assaults since early 2020, and even earlier.

Turla, assessed to be affiliated with Russia’s Federal Safety Service (FSB), is a sophisticated persistent menace (APT) that is identified to be energetic since at the very least 1996. It has a monitor document of concentrating on a spread of industries spanning authorities, embassies, army, schooling, analysis, and pharmaceutical sectors.


Earlier this yr, the cyber espionage group was found attacking Polish organizations to distribute a backdoor named TinyTurla-NG (TTNG).

“The Turla group is a persistent adversary with a protracted historical past of actions,” Development Micro famous in an evaluation of the menace actor’s evolving toolset. “Their origins, techniques, and targets all point out a well-funded operation with extremely expert operatives.”

The precise intrusion vector used to breach the MFA is presently unknown, though it is suspected that it might have concerned a component of spear-phishing and the exploitation of misconfigured Zabbix software program.

LunarWeb and LunarMail

The start line of the assault chain pieced collectively by ESET commences with a compiled model of an ASP.NET net web page that is used as a conduit to decode two embedded blobs, which features a loader, codenamed LunarLoader, and the LunarWeb backdoor.

Particularly, when the web page is requested, it expects a password in a cookie named SMSKey that, if provided, is used to derive a cryptographic key for decrypting the next-stage payloads.

“The attacker already had community entry, used stolen credentials for lateral motion, and took cautious steps to compromise the server with out elevating suspicion,” Jurčacko famous.

LunarMail, alternatively, is propagated via a malicious Microsoft Phrase doc despatched by way of a spear-phishing electronic mail, which, in flip, packs LunarLoader and the backdoor.

LunarWeb is provided to collect system info and parse instructions inside JPG and GIF picture recordsdata despatched from the C&C server, following which the outcomes are exfiltrated again in a compressed and encrypted format. It additional makes an attempt to mix in by masquerading its community site visitors as legitimate-looking (e.g., Home windows replace).


The C&C directions enable the backdoor to run shell and PowerShell instructions, execute Lua code, learn/write recordsdata, and archive specified paths. The second implant, LunarMail, helps related capabilities, however notably piggybacks on Outlook and makes use of electronic mail for communication with its C&C server by searching for sure messaging with PNG attachments.

A few of the different instructions particular to LunarMail embody the power to set an Outlook profile to make use of for C&C, create arbitrary processes, and take screenshots. The execution outputs are then embedded in a PNG picture or PDF doc previous to exfiltrating them as attachments in emails to an attacker-controlled inbox.

“This backdoor is designed to be deployed on person workstations, not servers — as a result of it’s endured and supposed to run as an Outlook add-in,” Jurčacko stated. “LunarMail shares concepts of its operation with LightNeuron, one other Turla backdoor that makes use of electronic mail messages for C&C functions.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments