Turla Group Implements LunarWeb and LunarMail Backdoors in Diplomatic Operations

Published:

Unveiling the Lunar Backdoors: A New Threat to Diplomatic Security

In an alarming development for cybersecurity, an unnamed European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East have fallen victim to sophisticated cyberattacks. These attacks were executed using two previously undocumented backdoors, dubbed LunarWeb and LunarMail. The implications of this breach are significant, as they highlight the ongoing threats faced by government entities and the evolving tactics of cyberespionage groups.

The Threat Actors: Turla Group

ESET, a prominent cybersecurity firm, identified the malicious activity and attributed it with medium confidence to the Turla group—a notorious cyberespionage entity known for its affiliation with Russia’s Federal Security Service (FSB). The group, also referred to by various names including Iron Hunter, Pensive Ursa, and Venomous Bear, has been active since at least 1996. Its history of targeting a diverse range of sectors—including government, military, education, and pharmaceuticals—underscores its capability and intent to conduct high-stakes espionage.

Tactical Overlaps and Previous Campaigns

ESET’s analysis revealed tactical overlaps between the current campaign and previous operations attributed to Turla. This connection raises concerns about the group’s persistent and adaptive nature, as they continue to refine their tools and techniques to infiltrate sensitive networks. Earlier this year, Turla was also implicated in attacks against Polish organizations using a backdoor named TinyTurla-NG.

The Lunar Backdoors: Mechanisms of Attack

The Lunar backdoors represent a sophisticated evolution in cyberattack methodologies. LunarWeb is deployed on servers and utilizes HTTP(S) for its command-and-control (C&C) communications, cleverly mimicking legitimate web requests. In contrast, LunarMail operates as an Outlook add-in on workstations, leveraging email messages for its C&C communications.

LunarWeb: Server-Side Operations

LunarWeb is designed to gather system information and execute commands hidden within JPG and GIF image files sent from the C&C server. The results of these commands are exfiltrated back to the attackers in a compressed and encrypted format. Notably, LunarWeb employs techniques to disguise its network traffic, making it appear as legitimate activity—such as Windows updates—to evade detection.

LunarMail: The Outlook Intruder

LunarMail, on the other hand, is propagated through spear-phishing emails that contain malicious Microsoft Word documents. This backdoor is specifically tailored for user workstations, functioning as an Outlook add-in. Its capabilities include setting Outlook profiles for C&C communication, creating arbitrary processes, and even taking screenshots. The outputs of these operations are cleverly embedded in PNG images or PDF documents, which are then sent as email attachments to an attacker-controlled inbox.

The Intrusion Vector: A Mystery Unveiled

While the exact method of intrusion into the MFA remains unclear, cybersecurity experts suspect that spear-phishing tactics and the exploitation of misconfigured Zabbix software may have played a role. The attack chain, as pieced together by ESET, begins with a compiled ASP.NET web page that serves as a conduit for decoding embedded payloads, including a loader known as LunarLoader and the LunarWeb backdoor.

The Attack Chain: A Step-by-Step Breakdown

  1. Initial Access: The attacker gains network access, potentially through stolen credentials.
  2. Payload Delivery: A malicious ASP.NET page is used to decode and deliver the Lunar backdoors.
  3. Command Execution: LunarWeb and LunarMail execute commands and gather sensitive information, all while maintaining a façade of normalcy in network traffic.
  4. Data Exfiltration: Results are exfiltrated back to the attackers, often disguised as innocuous files.

Conclusion: The Ongoing Battle Against Cyberespionage

The emergence of the Lunar backdoors serves as a stark reminder of the persistent threats posed by advanced persistent threat (APT) groups like Turla. As these actors continue to evolve their tactics and tools, the need for robust cybersecurity measures becomes increasingly critical, especially for government entities and diplomatic missions.

Organizations must remain vigilant, investing in comprehensive security strategies that include employee training, threat detection systems, and incident response plans. The battle against cyberespionage is ongoing, and staying one step ahead of these sophisticated adversaries is essential for safeguarding sensitive information and national security.


Found this article interesting? Follow us on Twitter and LinkedIn for more exclusive content and updates on cybersecurity threats and trends.

Related articles

Recent articles