Two new backdoors discovered by security researchers at ESET and named LunarWeb and LunarMail targeted an unnamed European Foreign Ministry and three diplomatic missions in the Middle East, The Hacker News reported.
Click to see more special content
These backdoors may have been in use since early 2020. The attack vector remains unknown, but spear phishing and misconfigured Zabbix software are suspected.
The attack sequence begins with a malicious ASP.NET web page decoding two embedded blobs containing LunarLoader and LunarWeb. When a web page receives a particular cookie, it decrypts the payload for the next stage. LunarWeb has been observed to be deployed on servers and use HTTP(S) for command and control communications, mimicking legitimate requests. Collects system data, parses commands from image files, and extracts results in encrypted format. The backdoor also reportedly makes network traffic appear legitimate.
LunarMail, on the other hand, spreads through malicious Word documents in spear-phishing emails and deploys LunarLoader and a backdoor. It uses Outlook for C&C and embeds the execution output into his PNG image or PDF and sends it as an email attachment.
This cyber espionage activity is believed with medium confidence to be the work of Turla, a Russian-aligned advanced persistent threat group known for sophisticated operations dating back to at least 1996.
