LunarWeb and LunarMail backdoors discovered that use steganography to avoid detection
ESET, a global European leader in the cybersecurity market, discovered two previously unknown backdoors, named LunarWeb and LunarMail, which compromised a European Ministry of Foreign Affairs and its diplomatic missions abroad, mainly in the Middle East. ESET estimates that the Lunar toolset has been in use since 2020 and, given the similarities in tactics, techniques, procedures and past activities, believes that these compromises can most likely be attributed to Turla, a Russian-aligned cyberespionage group. The goal of the campaign is cyber espionage.
ESET's investigation began with the detection of a loader deployed on an unidentified server, which decrypts and loads a payload from a file. This led ESET researchers to discover a previously unknown backdoor, which ESET named LunarWeb. Subsequently, a similar sequence was detected with LunarWeb deployed as part of a diplomatic mission. Notably, the attacker also included a second backdoor, which ESET named LunarMail, which uses a different method for command & control (C&C) communications. During another attack, ESET observed the simultaneous deployment of a chain with LunarWeb in three diplomatic missions of a European country in the Middle East, which occurred within minutes of each other. The attacker likely previously had access to the domain controller of the Ministry of Foreign Affairs and used it for lateral movement to computers of related institutions in the same network.
LunarWeb, deployed on servers, uses HTTP(S) for C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, persists as an Outlook add-in and uses email messages for C&C communications. Both backdoors use steganography, a technique in which commands are hidden in images to avoid detection. Their loaders can exist in various forms, including Trojan-affected open-source software, demonstrating the advanced techniques used by attackers.
“We observed varying degrees of sophistication in the compromises: for example, the careful installation on the hacked server to avoid scanning by security software contrasted with the errors and different coding styles of the backdoors. This suggests that probably more people were involved in the development and operation of these tools,” explains Filip Jurčacko, ESET researcher who discovered the Lunar toolset.
The recovered components related to the installation and the attacker's activity suggest that the possible initial compromise occurred through spearphishing and the exploitation of a misconfiguration of the Zabbix network and application monitoring software. Furthermore, the attacker already had access to the network, used stolen credentials to move around the network, and took careful measures to compromise the server without raising suspicion. In another compromise, researchers found an old malicious Word document, possibly from a spearphishing email.
LunarWeb collects and exfiltrates information from your system, such as information about your computer and operating system, lists of running processes, services, and installed security products. Additionally, it supports common backdoor features, including file and process operations and shell command execution. Upon first execution, the LunarMail backdoor collects information from email messages sent by recipients (email addresses). In terms of command capabilities, LunarMail is simpler and features a subset of the commands found in LunarWeb. It can write a file, create a new process, take a screenshot and change the C&C communication email address. Both backdoors have the unusual ability to execute Lua scripts.
Turla, also known as Snake, has been active since at least 2004, perhaps even since the late 1990s. Believed to be part of the Russian FSB, it mainly targets high-profile entities such as governments and diplomatic organizations in Europe, Central Asia and the Middle East. The group is known for hacking major organizations, including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.
Further technical information on the Lunar toolset, in the blog post “To the Moon and back(doors): Lunar landing in diplomatic missions”.
