WebsiteGear Logo Log In
New User? Sign Up
About | Contact | FAQ
  Home News Technology Software Products Monday, June 24, 2024 
Add Press Release News | News Feeds Feeds | Email This News Email


ESET Research: Russia-aligned Turla group likely uses Lunar arsenal to target & spy on European diplomats
Thursday, May 23, 2024

    --  ESET Research discovered two previously unknown backdoors -- which we
        named LunarWeb and LunarMail -- compromising a European ministry of
        foreign affairs and its diplomatic missions abroad, primarily in the
        Middle East.
    --  ESET researchers attribute these compromises with medium confidence to
        the infamous Russia-aligned cyberespionage group Turla. The aim of the
        campaign is cyberespionage.
    --  Turla, also known as Snake, has been active since at least 2004,
        possibly even dating back to the late 1990s. It is believed to be part
        of the Russian FSB.
    --  ESET believes that the Lunar toolset has been in use since at least
        2020.
    --  Both backdoors employ steganography, a technique in which commands are
        hidden in images to avoid detection.

BRATISLAVA, Slovakia, May 15, 2024 /PRNewswire/ -- ESET Research discovered two previously unknown backdoors -- which we named LunarWeb and LunarMail -- compromising a European ministry of foreign affairs and its diplomatic missions abroad, primarily in the Middle East. ESET believes that the Lunar toolset has been used since at least 2020 and, given the similarities between the tactics, techniques, and procedures and past activities, ESET researchers attribute these compromises with medium confidence to the infamous Russia-aligned cyberespionage group Turla. The aim of the campaign is cyberespionage.

The ESET investigation began with the detection of a loader deployed on an unidentified server, which decrypts and loads a payload from a file. This led ESET researchers to the discovery of a previously unknown backdoor, which ESET named LunarWeb. Subsequently, a similar chain with LunarWeb deployed at a diplomatic mission was detected. Notably, the attacker also included a second backdoor -- which ESET named LunarMail -- that uses a different method for command and control (C&C) communications. During another attack, ESET observed simultaneous deployments of a chain with LunarWeb at three diplomatic missions of a European country in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain controller of the ministry of foreign affairs and utilized it for lateral movement to machines of related institutions in the same network.

LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, persists as an Outlook add-in and uses email messages for its C&C communications. Both backdoors employ steganography, a technique in which commands are hidden in images to avoid detection. Their loaders can exist in various forms, including trojanized open-source software, demonstrating the advanced techniques used by the attackers.

"We observed varying degrees of sophistication in the compromises -- for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles of the backdoors. This suggests multiple individuals were probably involved in the development and operation of these tools," says ESET researcher Filip Jur?acko, who discovered the Lunar toolset.

Recovered installation-related components and attacker activity suggest that possible initial compromise happened via spearphishing and abuse of misconfigured network and application monitoring software Zabbix. Furthermore, the attacker already had network access, used stolen credentials for lateral movement, and took careful steps to compromise the server without raising suspicion. In another compromise, researchers found an older malicious Word document, likely from a spearphishing email.

LunarWeb collects and exfiltrates information from the system, such as computer and operating system information, a list of running processes, a list of services, and a list of installed security products. LunarWeb supports common backdoor capabilities, including file and process operations, and running shell commands. On first run, the LunarMail backdoor collects information from recipients' sent email messages (email addresses). In terms of command capabilities, LunarMail is simpler and features a subset of the commands found in LunarWeb. It can write a file, create a new process, take a screenshot, and modify the C&C communication email address. Both backdoors have the unusual capability of being able to execute Lua scripts.

Turla, also known as Snake, has been active since at least 2004, possibly even dating back to the late 1990s. Believed to be part of the Russian FSB, Turla mainly targets high-profile entities such as governments and diplomatic organizations in Europe, Central Asia, and the Middle East. The group is notorious for breaching major organizations, including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

For more technical information about the Lunar toolset, read the blogpost "To the Moon and back(doors): Lunar landing in diplomatic missions." Make sure to follow ESET Research on Twitter (today known as X) for the latest news.

About ESET

ESET(®) provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats -- securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security. ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

View original content:https://www.prnewswire.com/news-releases/eset-research-russia-aligned-turla-group-likely-uses-lunar-arsenal-to-target--spy-on-european-diplomats-302146634.html

SOURCE ESET



Email This News Email | Submit To Slashdot Slashdot | Submit To Digg.com Digg | Submit To del.icio.us Del.icio.us | News Feeds Feeds

RELATED NEWS ARTICLES
Nav Clarivate Launches IP Collaboration Hub | Jun 24, 2024
Nav Outerbounds and Codemate Announce Collaboration to Accelerate Custom AI/ML Solutions for Enterprises | Jun 24, 2024
Nav Weekly Recap: 13 Press Releases You Might Have Missed | Jun 21, 2024
Nav Weekly Recap: 11 Press Releases You Might Have Missed | Jun 21, 2024
Nav Virtual Desktop Infrastructure Market size is set to grow by USD 7.55 billion from 2024-2028, Ease of operating and managing virtual infrastructure to boost the market growth, Technavio | Jun 21, 2024
Nav Bendigo and Adelaide Bank Partners with MongoDB to Modernize Core Banking Technology Using Generative AI | Jun 21, 2024
Nav New Evolven ServiceNow Application Closes the Loop of ITSM Processes | Jun 21, 2024
Nav Application Management Services Market size is set to grow by USD 74.1 billion from 2024-2028, demand lead growth boost the market, Technavio | Jun 21, 2024
Nav Unlock the Power of Rapid SAP App Development with Neptune Software's No-Code and Low-Code Tools | Jun 21, 2024
Nav Stamus Networks Marks Decade of SELKS Open-Source Tool with New Edition | Jun 21, 2024
NEWS SEARCH

FEATURED NEWS | POPULAR NEWS
Submit News | View More News View More News