The network of an unnamed European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad have been found to be infected by previously undocumented backdoors attributed to the notorious Russia-aligned cyberespionage group Turla aka Snake.
Turla has a long history of targeting high-profile entities, including governmental and diplomatic organizations. Active since at least 2004, Turla has been behind cyber espionage operations across Europe, Central Asia, and the Middle East. Notable breaches attributed to the group include the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.
Dubbed ‘LunarWeb’ and ‘Lunar Mail,’ the two backdoors are believed to have been in operation since at least 2020. LunarWeb, deployed on servers, utilizes HTTP(S) for its command and control (C2) communications, disguising its activities within legitimate requests.
Meanwhile, LunarMail, deployed on workstations, operates as an Outlook add-in, using email messages for C2 communications. Both backdoors employ steganography, concealing commands within images to evade detection.
Both backdoors implement a loader that decrypts payloads using DNS domain names, as well as the ability to execute Lua scripts. Furthermore, the backdoors share codebases and demonstrate the capability to impersonate legitimate traffic, leveraging HTTP headers spoofing and hidden commands within images.
The ESET researchers believe that in the observed campaign the threat actor likely had access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.
The attackers likely gained initial access through spearphishing and exploited misconfigured network and application monitoring software, such as Zabbix.
“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools,” the researchers noted.