Today > 1 Critical | 6 High | 24 Medium vulnerabilities   -   You can now download lists of IOCs here!

To the Moon and back(doors): Lunar landing in diplomatic missions

May 16, 2024, 10:01 a.m.

Description

ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to avoid detection. LunarMail, installed on workstations as an Outlook add-in, employs email messages for command delivery and data exfiltration, concealing data in images through steganography. Both backdoors share similarities, including a loader that uses the DNS domain name for payload decryption, code overlaps, and the unusual ability to execute Lua scripts. The researchers attribute these compromises to the Russia-aligned Turla APT group with medium confidence.

Date

Published: May 16, 2024, 9:35 a.m.

Created: May 16, 2024, 9:35 a.m.

Modified: May 16, 2024, 10:01 a.m.

Indicators

82.223.55.220

82.165.158.86

74.50.80.35

65.109.179.67

45.79.93.87

45.33.24.145

212.57.35.176

212.57.35.174

158.220.102.80

176.57.150.252

161.97.74.237

thedarktower.av.master.dns-cloud.net

Attack Patterns

LunarMail

LunarWeb

Turla

T1137.006

T1584.003

T1583.002

T1587.001

T1114.001

T1132.001

T1074.001

T1573.001

T1007

T1113

T1036.005

T1204.002

T1547

T1106

T1082

T1047

T1027