May 15, 2024 at 09:07AM
An unnamed European Ministry of Foreign Affairs and its three diplomatic missions in the Middle East were targeted by two new backdoors, LunarWeb and LunarMail, attributed with medium confidence to the Russia-aligned cyberespionage group Turla. The backdoors use HTTP(S) and email messages for their communication, and appear to have been used in targeted attacks since early 2020.
Based on the meeting notes, here are the key takeaways:
1. An European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East were targeted by two previously undocumented backdoors known as LunarWeb and LunarMail, attributed to the Russia-aligned cyberespionage group Turla.
2. The LunarWeb backdoor, deployed on servers, uses HTTP(S) for its command-and-control communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its command-and-control communications.
3. Turla, assessed to be affiliated with Russia’s Federal Security Service (FSB), is an advanced persistent threat known to be active since at least 1996 with a track record of targeting industries spanning government, embassies, military, education, research, and pharmaceutical sectors.
4. The intrusion vector used to breach the MFA is presently unknown, but it is suspected to involve spear-phishing and the exploitation of misconfigured Zabbix software.
5. The LunarWeb backdoor is capable of gathering system information and parsing commands inside image files sent from the command-and-control server, while LunarMail supports similar capabilities and is intended to run as an Outlook add-in.
6. The backdoors are also capable of running shell and PowerShell commands, executing Lua code, reading/writing files, archiving specified paths, creating arbitrary processes, taking screenshots, and exfiltrating data in compressed and encrypted formats. LunarMail further exfiltrates data as attachments in emails to an attacker-controlled inbox.
These takeaways capture the significant details and implications of the identified cyber threat and its potential impact on the targeted organizations.