15 May 2024

Russian cyberspies Turla target European MFA with new backdoors


Russian cyberspies Turla target European MFA with new backdoors

The network of an unnamed European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad have been found to be infected by previously undocumented backdoors attributed to the notorious Russia-aligned cyberespionage group Turla aka Snake.

Turla has a long history of targeting high-profile entities, including governmental and diplomatic organizations. Active since at least 2004, Turla has been behind cyber espionage operations across Europe, Central Asia, and the Middle East. Notable breaches attributed to the group include the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

Dubbed ‘LunarWeb’ and ‘Lunar Mail,’ the two backdoors are believed to have been in operation since at least 2020. LunarWeb, deployed on servers, utilizes HTTP(S) for its command and control (C2) communications, disguising its activities within legitimate requests.

Meanwhile, LunarMail, deployed on workstations, operates as an Outlook add-in, using email messages for C2 communications. Both backdoors employ steganography, concealing commands within images to evade detection.

Both backdoors implement a loader that decrypts payloads using DNS domain names, as well as the ability to execute Lua scripts. Furthermore, the backdoors share codebases and demonstrate the capability to impersonate legitimate traffic, leveraging HTTP headers spoofing and hidden commands within images.

The ESET researchers believe that in the observed campaign the threat actor likely had access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.

The attackers likely gained initial access through spearphishing and exploited misconfigured network and application monitoring software, such as Zabbix.

“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools,” the researchers noted.


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024