To the Moon and back(doors): Lunar landing in diplomatic missions
May 16, 2024, 10:01 a.m.
Tags
External References
Description
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to avoid detection. LunarMail, installed on workstations as an Outlook add-in, employs email messages for command delivery and data exfiltration, concealing data in images through steganography. Both backdoors share similarities, including a loader that uses the DNS domain name for payload decryption, code overlaps, and the unusual ability to execute Lua scripts. The researchers attribute these compromises to the Russia-aligned Turla APT group with medium confidence.
Date
Published: May 16, 2024, 9:35 a.m.
Created: May 16, 2024, 9:35 a.m.
Modified: May 16, 2024, 10:01 a.m.
Indicators
82.223.55.220
82.165.158.86
74.50.80.35
65.109.179.67
45.79.93.87
45.33.24.145
212.57.35.176
212.57.35.174
158.220.102.80
176.57.150.252
161.97.74.237
thedarktower.av.master.dns-cloud.net
Attack Patterns
LunarMail
LunarWeb
Turla
T1137.006
T1584.003
T1583.002
T1587.001
T1114.001
T1132.001
T1074.001
T1573.001
T1007
T1113
T1036.005
T1204.002
T1547
T1106
T1082
T1047
T1027