216.73.216.204

To the Moon and back(doors): Lunar landing in diplomatic missions

· Published 16/05/2024 09:35 · Modified 16/05/2024 10:01

Export JSON

Essential information

Published
16/05/2024 09:35
Modified
16/05/2024 10:01
Tags
2024-05-11 2024-05-16 apt backdoor diplomacy espionage lunarmail lunarweb steganography
Related entities
12 observables, 1 intrusion sets (apt), 17 techniques (mitre), 2 malware

Description

ESET researchers discovered two previously unknown backdoors – and – compromising a European ministry of foreign affairs and its diplomatic missions abroad. , deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to avoid detection. , installed on workstations as an Outlook add-in, employs email messages for command delivery and data exfiltration, concealing data in images through . Both backdoors share similarities, including a loader that uses the DNS domain name for payload decryption, code overlaps, and the unusual ability to execute Lua scripts. The researchers attribute these compromises to the Russia-aligned Turla group with medium confidence.

External references