Turla is considered to be an advanced persistent threat (APT) that has been operating since at least 1996 and is thought to be connected to Russia's Federal Security Service (FSB). It has a history of focusing on a variety of businesses, including the military, government, embassies, research, and pharmaceutical. The cyber espionage group was found targeting Polish firms earlier this year in order to disseminate a backdoor called TinyTurla-NG (TTNG). The Turla group has a lengthy history of activity and is a recurrent adversary. Their aims, methods, and sources all point to a well-funded, highly competent organization.

Although the precise intrusion vector that was used to infiltrate the MFA is currently unknown, spear-phishing and the use of improperly configured Zabbix software are thought to have played a role. Researchers have pulled together an attack chain that begins with a built ASP.NET web page that serves as a conduit for decoding two embedded blobs; the LunarWeb backdoor and a loader known as LunarLoader. To be more precise, the website requests a password in a cookie called SMSKey upon request. If the password is provided, it is utilized to obtain a cryptographic key that is needed to decrypt the subsequent payloads.

The attacker was already in the network, moved laterally using credentials they had stolen, and carefully compromised the server without drawing attention to themselves. Contrarily, LunarMail spreads by means of a malicious Microsoft Word document that is attached to a spear-phishing email and contains the backdoor and LunarLoader.

LunarWeb is capable of extracting system data and deciphering orders from JPG and GIF image files that are transmitted from the C&C server. The extracted information is then returned in an encrypted and compressed format. It makes an additional effort to blend in by disguising its network activity as authentic-looking, for example, a Windows update.

The backdoor can execute Lua code, read and write files, run shell and PowerShell operations, and archive certain routes thanks to the C&C instructions. Similar features are supported by the second implant, LunarMail, which notably depends on Outlook to communicate with its C&C server via email by searching for certain messages containing PNG attachments.

Other LunarMail-specific instructions include the ability to take screenshots, spawn arbitrary processes, and specify the Outlook profile to use for C&C. Before the execution outputs are exfiltrated as attachments in emails to an attacker-controlled inbox, they are first embedded in a PNG picture or PDF document. Because this backdoor is persistent and meant to function as an Outlook add-in, it is intended to be installed on user workstations rather than servers. LunarMail operates similarly to LightNeuron, another Turla backdoor that sends and receives email messages for C&C.

Impact

• Cyber Espionage
• Sensitive Information Theft
• Data Exfiltration

Indicators of Compromise

MD5

• c07a655602adc775b1c2b75dc80df820

SHA-256

• d2fad779289732d1edf932b62278eb3090eb814d624f2e0a4fbbc613495c55e8

SHA-1

• 9cec3972fa35c88de87bd66950e18b3e0a6df77c

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Conduct regular security awareness training to educate employees about phishing threats and safe email practices.
• Enable multi-factor authentication (MFA) to strengthen account security and prevent unauthorized access.
• Implement robust email filtering mechanisms to identify and block phishing emails, reducing the risk of malware delivery.
• Ensure timely updates and patches for all software, including Microsoft Exchange servers, to address known vulnerabilities.
• Segregate critical systems and sensitive data from the rest of the network through network segmentation to limit lateral movement.
• Deploy comprehensive endpoint protection solutions to detect and block malware and ransomware, safeguarding devices from compromise.
• Collaborate with cybersecurity organizations and law enforcement agencies to share threat intelligence and stay informed about emerging threats.
• Develop and regularly update an incident response plan to efficiently handle cyber attacks, reducing downtime and minimizing the impact of a breach.