Threat Research

To the Moon and back(doors): Lunar landing in diplomatic missions

ESET-welivesecurity

Two previously unknown backdoors, LunarWeb and LunarMail, were found compromising a European ministry of foreign affairs and its diplomatic missions. Attribution is a medium-confidence link to Turla (Snake), with attackers using server‑facing and workstation backdoors that communicate over HTTP(S) or via Outlook email, including steganography to hide commands. #LunarWeb #LunarMail #Turla #Snake #Zabbix #LAPS

Keypoints

  • LunarWeb (server) and LunarMail (workstation) backdoors were active in compromises of a European MFA and its diplomatic missions.
  • LunarWeb uses HTTP(S) for C2 and mimics legitimate requests; LunarMail uses Outlook add-ins and email messages for C2.
  • Both backdoors hide commands using steganography (in images) and decrypt payloads with RC4 and AES-256.
  • A loader chain, shared codebase elements, and the ability to run Lua scripts indicate close relationship between the tools.
  • Initial access hints at spearphishing and Zabbix abuse; in one case, a malicious Word document delivered LunarMail via macro.
  • Turla (Snake) is the attributed actor with medium confidence, historically targeting governments and diplomatic entities.
  • IoCs include diverse files, domains, IPs, and registry/state artifacts linked to the Lunar toolset.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – A malicious Word document installs LunarMail via a macro. ‘This document has unusual components: 32- and 64-bit versions of a Stage 1 loader, and a Stage 2 blob containing the LunarMail backdoor.’
  • [T1137.006] Office Application Startup: Add-ins – LunarMail loader is persisted as an Outlook add-in. ‘Persistence via Outlook add-in’ (Stage 0 – LunarMail initial user compromise).
  • [T1137] Group Policy extension (T1137.006 under MITRE table) – Group Policy extension used to maintain persistence for LunarWeb loader. ‘The attacker set up a Group Policy extension in the registry using the Remote Registry service.’
  • [T1620] Reflective Code Loading – LunarLoader uses a reflective loader to execute a decrypted payload. ‘This function contains a reflective loader.’
  • [T1027.003] Obfuscated Files or Information: Steganography – Commands hidden in images via steganography. ‘Both backdoors employ the technique of steganography, hiding commands in images to avoid detection.’
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – C2 communications encrypted with AES-256. ‘encrypt C&C communications using AES-256.’
  • [T1573.002] Encrypted Channel: Asymmetric Cryptography – RSA-4096 used for decrypting incoming data / key exchange. ‘RSA-4096 keys for decrypting incoming data.’
  • [T1071.001] Application Layer Protocol: Web Protocols – LunarWeb communicates over HTTP(S). ‘LunarWeb communicates with its C&C server using HTTP(S)…’
  • [T1071.003] Application Layer Protocol: Mail Protocols – LunarMail uses email messages for C2 communications. ‘LunarMail communicates via email messages for C&C purposes.’
  • [T1113] Screen Capture – LunarMail can capture screenshots. ‘Screen Capture’ in LunarMail commands.
  • [T1114.001] Email Collection: Local Email Collection – LunarMail collects recipients of sent emails (and Outlook profile data). ‘recipients of all sent email messages (email addresses).’
  • [T1005] Data from Local System – LunarWeb/LunarMail upload files from the compromised machine. ‘upload files from the compromised machine.’
  • [T1560.002] Archive Collected Data: Archive via Library – Compression of data using zlib. ‘statically linked zlib library for compression of collected data.’
  • [T1020] Data Obfuscation: Steganography (Data in images) – data hidden in PNGs or PDFs with embedded content. ‘hiding data in image structures’; ‘data embedded in the structures of the image format.’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltrated over the C2 channel. ‘exfiltrate data over the C&C channel.’
  • [T1071.004] Encrypted Channel: Web Services (additional reference) – Not explicitly listed, but aligns with multiple encrypted channels described. (Note: primary encrypted channels are T1573.001/002.)

Indicators of Compromise

  • [IP] 45.33.24[.]145, 45.79.93[.]87 – LunarWeb C2 servers (compromised VPS).
  • [IP] 65.109.179[.]67 – LunarWeb C2 server (compromised VPS).
  • [IP] 74.50.80[.]35 – LunarWeb C2 server (compromised VPS).
  • [IP] 82.165.158[.]86, 82.223.55[.]220 – LunarWeb C2 servers (compromised VPS).
  • [IP] 139.162.23[.]113, 158.220.102[.]80, 161.97.74[.]237 – LunarWeb C2 servers (compromised VPS).
  • [IP] 176.57.150[.]252, 212.57.35[.]174, 212.57.35[.]176 – LunarWeb C2 servers (compromised VPS).
  • [Domain] thedarktower.av.master.dns-cloud[.]net – C2 domain used in malware macro ping to identify C2.
  • [Domain] ctldl.windowsupdate.com – Impersonation target in C2 communications (Windows Update impersonation).
  • [Domain] MFA-related and other impersonated hostnames observed in C2 communications (as listed in the article’s impersonation table).
  • [File] App_Web_0bm4blbr.dll – LunarWeb loader component; MD5/SHA1 indicated in IoCs table (as shown).
  • [File] gpgol.dll – LunarLoader (x86/x64) components; used to load LunarMail or LunarWeb.
  • [File] tapiperf.dll – LunarLoader (x64) loader component for LunarWeb.
  • [File] AdmPwd.dll – trojanized AdmPwd (LAPS) loader component for LunarWeb.
  • [File] winnet.dll.mui – LunarLoader payload path.
  • [State] LunarWeb state files: C:ProgramDataMicrosoftWindowsTemplatescontent.tpl, C:ProgramDataMicrosoftWinThumbthumb.clb, etc. – state storage for backdoors.
  • [Registry] HKCUSOFTWAREClassesCLSID{3115036B-547E-4673-8479-EE54CD001B9D} – related to loader persistence.

Read more: https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint