Two new backdoors discovered by ESET security researchers and given the names LunarWeb and LunarMail targeted an unnamed European Ministry of Foreign Affairs and three of its Middle Eastern diplomatic missions, The Hacker News reports.
Click for more special coverage
These backdoors have likely been in use since early 2020. The attack vector remains uncertain, but spear-phishing and misconfigured Zabbix software are suspected.
The attack sequence starts with a malicious ASP.NET web page that decodes two embedded blobs containing LunarLoader and LunarWeb. The webpage, upon receiving a specific cookie, decrypts the next-stage payloads. LunarWeb is deployed on servers, uses HTTP(S) for command-and-control communications, and has been observed mimicking legitimate requests. It collects system data, parses commands from image files, and exfiltrates results in an encrypted format. The backdoor also reportedly disguises its network traffic to appear legitimate.
Meanwhile, LunarMail spreads via malicious Word documents in spear-phishing emails, deploying LunarLoader and the backdoor. It uses Outlook for C&C, embedding execution outputs in PNG images or PDFs and sending them as email attachments.
The cyberespionage campaign is attributed with medium confidence to the Russia-aligned advanced persistent threat group Turla, known for its sophisticated operations dating back to at least 1996.