To the Moon and back(doors): Lunar landing in diplomatic missions

Description

ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to avoid detection. LunarMail, installed on workstations as an Outlook add-in, employs email messages for command delivery and data exfiltration, concealing data in images through steganography. Both backdoors share similarities, including a loader that uses the DNS domain name for payload decryption, code overlaps, and the unusual ability to execute Lua scripts. The researchers attribute these compromises to the Russia-aligned Turla APT group with medium confidence.