May 16, 2024 at 12:05PM
Security researchers discovered two new backdoors, LunarWeb and LunarMail, used to compromise a European government’s diplomatic institutions abroad. The malware, linked to the Russian state-sponsored hacker group Turla, has been active since 2020. The backdoors allow for prolonged surveillance, data theft, and control over compromised systems, posing a serious security threat.
From the meeting notes, the key takeaways are as follows:
– Security researchers discovered two previously unseen backdoors, LunarWeb and LunarMail, that were used to compromise a European government’s diplomatic institutions abroad.
– The malware has been used to breach the Ministry of Foreign Affairs of a European country with diplomatic missions in the Middle East and has been active since at least 2020.
– ESET believes the backdoors may be connected to the Russian state-sponsored hacker group Turla, although attribution has medium confidence at this point.
– The attack starts with spear-phishing emails carrying Word files with malicious macro code to install the LunarMail backdoor onto the target system.
– Evidence indicates potential abuse of a misconfigured open-source network monitoring tool Zabbix to drop the LunarWeb payload.
– LunarWeb and LunarMail are designed for prolonged and covert surveillance, data theft, and maintaining control over compromised systems, such as high-value government and diplomatic institutions.
– Both backdoors have been used in operations and evaded detection since at least 2020.
ESET is also providing a list of indicators of compromise (IoCs) for files, file paths, network, and registry keys observed in compromised environments.