LunarWeb Backdoor
An European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East were recently hit by a new backdoor called LunarWeb, which had not been documented before. Additionally, attackers used another malicious tool, dubbed LunarMail. Researchers believe with medium confidence that this cyberattack is the work of the Russia-aligned cyberespionage group Turla, known by various aliases, including Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous Bear. The attribution is based on similarities in tactics observed in previous campaigns associated with this threat actor.
LunarWeb operates on servers using HTTP(S) for its Command-and-Control (C&C) communications, disguising its activity as legitimate requests. On the other hand, LunarMail, deployed on workstations, remains persistent as an Outlook add-in and utilizes email messages for its C&C communications. An examination of the Lunar artifacts suggests that they could have been employed in targeted attacks as early as 2020, or possibly even earlier.
Table of Contents
The Turla APT is a Major Threat Actor on the Cybercrime Scene
Turla, assessed to be affiliated with Russia's Federal Security Service (FSB), is an advanced persistent threat (APT) that's known to be active since at least 1996. It has a track record of targeting a range of industries spanning government, embassies, military, education, research, and pharmaceutical sectors.
Earlier in 2024, the cyber espionage group was discovered attacking Polish organizations to distribute a backdoor named TinyTurla-NG (TTNG). The Turla group is a persistent adversary with a long history of activities. Their origins, tactics, and targets all indicate a well-funded operation with highly skilled operatives.
Infection Vectors for the Delivery of the LunarWeb Backdoor
The precise method used to breach the MFA is currently unknown, but it is suspected to involve elements of spear-phishing and exploitation of misconfigured Zabbix software. The initial stage of the attack is believed to begin with a compiled version of an ASP.NET web page, serving as a conduit to decode two embedded blobs containing LunarLoader (a loader) and the LunarWeb backdoor.
In this process, when the page is accessed, it expects a password within a cookie named SMSKey. If provided, this password is used to derive a cryptographic key for decrypting subsequent payloads. The attacker likely had pre-existing network access, utilized stolen credentials for lateral movement, and took deliberate actions to compromise the server discreetly.
On the other hand, LunarMail is disseminated via a malicious Microsoft Word document sent through spear-phishing emails, which includes payloads of LunarLoader and the associated backdoor.
How the LunarWeb and LunarMail Backdoors Operate Once Executed?
LunarWeb is capable of gathering system information and executing commands embedded within JPG and GIF image files received from the C&C server. The results are then compressed and encrypted before being sent back out. To evade detection, LunarWeb disguises its network traffic to resemble legitimate activities such as Windows updates.
The C&C instructions enable LunarWeb to execute shell and PowerShell commands, run Lua code, manipulate files, and archive specified directories. Another implant, LunarMail, possesses similar functionalities but operates uniquely by integrating with Outlook and communicating with its C&C server through email, scanning for specific messages containing PNG attachments.
LunarMail's commands include configuring an Outlook profile for C&C, launching arbitrary processes, and capturing screenshots. Output from these actions is concealed within PNG images or PDF documents before being sent as email attachments to an attacker-controlled inbox.
LunarMail is designed for deployment on user workstations rather than servers, persisting as an Outlook add-in. Its operational methods mirror those of LightNeuron, another Turla backdoor that employs email messages for C&C communications.
