Turla Group deploys LunarWeb and LunarMail backdoors in diplomatic missions

An unnamed European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East were targeted by two previously undocumented backdoors, traced as LunarWeb and LunarMail.

ESET confirmed the activity and attributed it with medium confidence to the Russian-aligned cyber espionage group Turla (aka Iron Hunter, Peptic Ursa, Secret Blizzard, Snake, Uroburos and Venomous Bear), citing previous Identified as a threat actor.

“LunarWeb is deployed on the server and uses HTTP(S) for C&C [command-and-control] communicate and impersonate legitimate requests, while LunarMail deployed on workstations persists as an Outlook plug-in and uses email for C&C communications.

Analysis of lunar artifacts suggests they may have been used in targeted attacks since early 2020 or even earlier.

Turla has been assessed as an Advanced Persistent Threat (APT) affiliated with Russia’s Federal Security Service (FSB) and is known to have been active since at least 1996. , education, research and pharmaceutical sectors.

Earlier this year, the cyber espionage group was discovered attacking Polish organizations and distributing a backdoor called TinyTurla-NG (TTNG).

“The Turla group is a persistent adversary with a long history of activity,” Trend Micro said in an analysis of the threat actor’s evolving toolset. “Their origins, tactics, and objectives all indicate that this is a well-funded, skilled and well-staffed group. Superb action.”

The exact intrusion vector used to compromise MFA is not yet known, but it is suspected that it may involve spear phishing and exploiting misconfigured Zabbix software.

The starting point of the attack chain that ESET put together was a compiled version of an ASP.NET web page, which was used as a conduit to decode two embedded blobs, including a loader codenamed LunarLoader and the LunarWeb backdoor.

Specifically, when the page is requested, it requires the password in a cookie named SMSKey, which, if provided, is used to derive the encryption key used to decrypt the next stage payload.

“The attacker already had access to the network, used stolen credentials to move laterally, and took careful steps to compromise the server without arousing suspicion,” Jurčacko noted.

LunarMail, on the other hand, spreads via a malicious Microsoft Word document sent via a spear phishing email, which in turn packages the LunarLoader and backdoor.

LunarWeb collects system information and parses commands in JPG and GIF image files sent from the C&C server, then leaks the results back in a compressed and encrypted format. It further attempts to blend in by disguising its network traffic as legitimate (for example, Windows updates).

C&C commands allow the backdoor to execute shell and PowerShell commands, execute Lua code, read/write files, and archive specified paths. The second implant, LunarMail, supports similar functionality, but notably, it runs Outlook and uses email to communicate with its C&C server by looking for certain messages with PNG attachments.

Some other commands unique to LunarMail include the ability to set up Outlook profiles for C&C, create arbitrary processes, and take screenshots. The execution output is then embedded in a PNG image or PDF file and delivered as an attachment in an email to an attacker-controlled inbox.

“This backdoor is designed to be deployed on user workstations, not the server, as it is persistent and designed to run as an Outlook plug-in,” Jurčacko said. “LunarMail shares its operating philosophy with LightNeuron, another Turla backdoor using email for C&C purposes.”