15 May 2024

Russian cyberspies Turla target European MFA with new backdoors


Russian cyberspies Turla target European MFA with new backdoors

The network of an unnamed European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad have been found to be infected by previously undocumented backdoors attributed to the notorious Russia-aligned cyberespionage group Turla aka Snake.

Turla has a long history of targeting high-profile entities, including governmental and diplomatic organizations. Active since at least 2004, Turla has been behind cyber espionage operations across Europe, Central Asia, and the Middle East. Notable breaches attributed to the group include the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

Dubbed ‘LunarWeb’ and ‘Lunar Mail,’ the two backdoors are believed to have been in operation since at least 2020. LunarWeb, deployed on servers, utilizes HTTP(S) for its command and control (C2) communications, disguising its activities within legitimate requests.

Meanwhile, LunarMail, deployed on workstations, operates as an Outlook add-in, using email messages for C2 communications. Both backdoors employ steganography, concealing commands within images to evade detection.

Both backdoors implement a loader that decrypts payloads using DNS domain names, as well as the ability to execute Lua scripts. Furthermore, the backdoors share codebases and demonstrate the capability to impersonate legitimate traffic, leveraging HTTP headers spoofing and hidden commands within images.

The ESET researchers believe that in the observed campaign the threat actor likely had access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.

The attackers likely gained initial access through spearphishing and exploited misconfigured network and application monitoring software, such as Zabbix.

“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools,” the researchers noted.


Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024