Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Pierluigi Paganini May 17, 2024

Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target European government agencies.

ESET researchers discovered two previously unknown backdoors named LunarWeb and LunarMail that were exploited to breach European ministry of foreign affairs.

The two backdoors are designed to carry out a long-term compromise in the target network, data exfiltration, and maintaining control over compromised systems.

The two backdoors compromised a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. The experts speculate the Lunar toolset has been employed since at least 2020. ESET attributes the two backdoors to Russia-linked APT group Turla, with medium confidence.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTONhas been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The exact method of initial access in the compromises observed by ESET is still unclear. However, evidence suggests possible spear-phishing and exploitation of misconfigured Zabbix network and application monitoring software. The researchers noticed a LunarWeb component mimicking Zabbix logs and a backdoor command retrieving Zabbix agent configuration. The experts also spotted spear-phishing messages, including a weaponized Word document installing a LunarMail backdoor.

Turla APT

“LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications.” reads the report published by ESET.

LunarWeb uses multiple persistence methods, including creating Group Policy extensions, replacing System DLL, and deploying as part of legitimate software.

ESET reported that the execution chain starts with a loader they tracked as LunarLoader. It uses the RC4 symmetric key cipher to decrypt the payloads.

Once the Lunar backdoor has compromised a system, it waits for commands from the C2 server. The cyberspies also used stolen credentials for lateral movement.

LunarWeb can also execute shell and PowerShell commands, gather system information, run Lua code, and exfiltrate data in AES-256 encrypted form.

“Our current investigation began with the detection of a loader decrypting and running a payload, from an external file, on an unidentified server. This led us to the discovery of a previously unknown backdoor, which we named LunarWeb. Subsequently, we detected a similar chain with LunarWeb deployed at a diplomatic institution of a European MFA. Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications.” continues the report. “During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.”

LunarMail is deployed on workstations with Microsoft Outlook, using an email-based communication system (Outlook Messaging API (MAPI)) to evade detection in environments where HTTPS traffic is monitored. The backdoor communicates with the C2 server via email attachments, often hidden in .PNG images. LunarMail can create processes, take screenshots, write files, and execute Lua scripts, allowing it to run shell and PowerShell commands indirectly.

“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools.” concludes the report. “Although the described compromises are more recent, our findings show that these backdoors evaded detection for a more extended period and have been in use since at least 2020, based on artifacts found in the Lunar toolset.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turla APT)

you might also like

leave a comment