Lunar Backdoors Breach European Diplomacy: LunarWeb and LunarMail Uncovered

Hot Take:

Just when you thought your emails were safe from prying eyes, along come LunarWeb and LunarMail to add a dash of espionage to your diplomatic dispatches!

• LunarWeb and LunarMail are two new backdoors linked to possible Russian state-sponsored hacking activities, targeting European diplomatic entities.
• The attack chain begins with spear-phishing emails containing malicious Word files to deploy LunarMail and uses misconfigured tools like Zabbix for LunarWeb.
• LunarWeb masquerades as legitimate software on servers, while LunarMail sneaks around in Microsoft Outlook on user workstations.
• Both backdoors enable data theft, surveillance, and command execution, hiding commands in image files using steganography.
• Attributed with medium confidence to the Turla group, these backdoors have been active and undetected since at least 2020.

Need to know more?

The Art of Stealthy Intrusion

Imagine receiving an innocuous-looking email, clicking on a document, and unknowingly rolling out the red carpet for spies into your network. That’s the modus operandi of LunarMail, which kicks off the digital infiltration fiesta by piggybacking on Word files. And let’s not forget LunarWeb, which plays dress-up to look like your everyday network monitoring tool but is really just waiting to pounce on your server with the enthusiasm of a cat on a laser pointer.

A Tale of Two Backdoors

While LunarWeb and LunarMail might sound like rejected names for space missions, they’re actually quite adept at their jobs. LunarWeb, the server squatter, is all about mimicking legitimate traffic, making it the ninja of network activity. It takes orders hidden in cute .JPGs and .GIFs, because why not add a bit of artistry to espionage? On the other hand, LunarMail prefers the cozy confines of Outlook, where it exchanges top-secret whispers disguised as boring old emails, using .PNGs as its covert communication channel.

Command, Control, and a Touch of Creativity

The attackers aren’t just content with a foothold; they want the whole leg. Once inside, they can direct commands to the compromised systems via a C2 server, move laterally across the network like a crab at a beach party, and even take a peek at what’s on your screen—because who doesn’t love a good screenshot?

A Russian Connection?

Attributing cyberattacks can be as tricky as guessing the number of jellybeans in a jar. However, ESET’s sleuths link these sneaky backdoors to the Turla group with medium confidence, which is cybersecurity speak for “probably, but don’t quote us on that.” If true, it’s clear Turla’s not just resting on its laurels but is actively updating its spyware wardrobe to stay in vogue.

The Invisible Guests at the Party

Despite being the new kids on the block, LunarWeb and LunarMail have apparently been crashing diplomatic parties since 2020, proving that sometimes the most effective gatecrashers are the ones you don’t even notice. And in a world where cyber espionage is a game of digital hide and seek, these tools have been ‘it’ for quite a while without anyone realizing.

As the cyberworld turns its vigilant eyes towards these shadowy figures, ESET has kindly left breadcrumbs in the form of IoCs for anyone looking to see if they’ve had unwanted guests. It’s like giving you the map to find the hidden cameras in your digital house—use it wisely!