Russian criminals use Lunar malware to breach European government agency

Attackers thought to be part of Russia's FSB

Russian criminals use Lunar malware to breach European government agency

The Turla hacking group has used newly discovered malware to compromise a European ministry of foreign affairs and its diplomatic missions abroad, says ESET.

ESET Research, the research arm of cyber firm ESET, has discovered two new backdoors that have been used to breach a European government agency and its diplomatic missions abroad, mostly in the Middle East.

Due to the similarities with previous attacks, ESET has attributed the compromises, "with medium confidence," to Turla, a Russian group thought to be part of the Russian security services, the FSB.

ESET believes the backdoors, which it has christened LunarWeb and LunarMail, have been used since at least 2020.

The company first discovered the Lunar toolkit when it found a loader deployed on an unidentified server, which decrypts and loads a payload from a file. That led to the discovery of LunarWeb, from which ESET identified "a similar chain...deployed at a diplomatic mission." The attacker in that case also included a second backdoor using a different method for command and control (C&C) communications, which ESET named LunarMail.

In another case, ESET observed the simultaneous deployment of a chain using LunarWeb at three different diplomatic missions of an unnamed European country across the Middle East, "within minutes of each other." The company wrote that the attacker "probably had prior access to the domain controller of the ministry of foreign affairs and utilised it for lateral movement to machines of related institutions in the same network."

LunarWeb is deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests. LunarMail, on the other hand, is deployed on workstations, persists as an Outlook add-in and uses email messages for its C&C communications. Both backdoors are hidden in images to avoid detection, a practice known as steganography.

LunarWeb collects and exfiltrates information from the target system, such as a list of installed security products and running processes. LunarMail, on the other hand, collects email addresses from sent email messages.

LunarWeb supports common backdoor capabilities, like the ability to run shell commands. The simpler LunarMail features a subset of those commands; for example, it can write a file, create a new process, take a screenshot and modify the C&C communication email address. Both backdoors have the "unusual capability" of being able to execute Lua scripts.

"Varying degrees of sophistication" in the attacks suggests "multiple individuals were probably involved in the development and operation of these tools," said ESET researcher Filip JurĨacko, who discovered the Lunar toolset.

Who is Turla?

The Turla group, also known as Snake, is known to have operated since at least the early 2000s, when it used the Snake malware to exfiltrate documents. The FBI shut down that tool last year, but the group has remained operational.

Turla mainly targets government agencies, diplomatic organisations and other high-profile targets in Europe, the Middle East and Central Asia. It has previously breached the Armenian government in 2020, Iranian infrastructure in 2019 (no honour among thieves) and the US Department of Defense in 2008.