The well-known advanced persistent threat (APT) group Turla, based in Russia, is said to be going after the European Ministry of Foreign Affairs.
This new cyber espionage attempt shows how innovative and persistent Turla is.
The group has been active since 2004 and is known for its high-profile attacks on government agencies and key businesses worldwide.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The Attack Vector: Microsoft Outlook Exploited
According to Trendmicro reports, the operation, which was due in August 2018, targeted Microsoft Outlook and The Bat!, an Eastern European favorite email client.
Turla wanted to access private information by hacking these sites and sending all outgoing emails to attackers.
This method not only let the group listen in on conversations but also used email to send information to its command and control (C&C) servers.
LunarWeb and LunarMail were used to compromise a European MFA and its diplomatic missions.
Malicious Outlook add-in
A big part of Turla’s strategy in this operation was using specially made PDF files, which were probably also used to do the first breach.
Once they got into the systems, the group used their complex toolkit, which includes backdoors and custom malware, to stay on top of them and keep power over them.
Lunar toolset
Despite not knowing the whole initial compromise, researchers detected an installation-related component in one of the server compromises: a compiled ASP.NET web page from these source files:
aspnet_clientsystem_web.aspx
aspnet_clientsystem_web.cs
System_web.aspx is a known IoC of China-aligned APT Hafnium, which exploits Microsoft Exchange Server vulnerabilities. We think this is a coincidence or false flag.
The system_web.aspx page returns a harmless-looking Zabbix agent log. The SMSKey cookie secretly requires a password. Using the password and salt Microsoft.SCCM.Update.Manager, an AES-256 key, and IV are generated to decode two embedded blobs, which are dropped to two temporary files in a directory restricted from scanning.
Analyzers don’t know the password, but the file sizes match the Stage 1 loader and Stage 2 blob with the LunarWeb backdoor.
After looking at the installers in the last part, look at the loaders, and finish by looking at their payloads, researchers didn’t know about two backdoors before.
The two observed Lunar toolset compromise chains
LunarLoader starts the execution sequence.
It decrypts the Stage 2 blob route and reads an encrypted payload using RC4, a symmetric key cipher.
Instead of a mutex or event, it opens and creates a mailslot with a unique name to ensure only one loader instance is active.
The MD5 hash of the computer’s DNS domain name generates and verifies a decryption key.
The payload is decrypted with AES-256 to create a PE file. LunarLoader allocates PE image memory and decrypts an exported PE function name to run in a new thread. The function has a reflective loader.
Payload decryption using DNS is an execution barrier. The loader only works in the intended organization, which may hinder analysis without the domain name.
LunarLoader can run alone or in trojanized open-source software.
The latter occurred with a trojanized AdmPwd, a Windows Local Administrator Password Solution component.
Persistence methodLoader path(s)Host processNoteGroup policy extensionC:WindowsSystem32en-USwinnet.dll.mui C:Program FilesLAPSCSEAdmPwd.dll*svchost.exe -k GPSvcGroupThe AdmPwd dll is a known legitimate file path of Microsoft LAPS.System DLL replacementC:WindowsSystem32tapiperf.dllwmiprvse.exeReplacing a legitimate
Windows DLL.Outlook add‑in%USERPROFILE%Gpg4wingpgol.dlloutlook.exeN/A
It has been a long time since Turla changed its strategies and tools, which makes it one of the most advanced and tough APT groups.
The group is known for using both common and uncommon malware families, like Carbon and Kazuar, and for having command and control systems that are based on satellites.
Over the years, Turla has regularly targeted government agencies, the military, schools, research labs, and drug companies.
Since this campaign against the European Ministry of Foreign Affairs became public, there have been calls for more cooperation between countries in hacking.
Sharing information and the best ways to do things is seen as very important for countries and groups to fight the threats that come from state-sponsored players like Turla.
Despite sharing a loader, code overlaps, and instructions, the backdoors use different C&C communication techniques. LunarWeb, the first backdoor, employs HTTP(S) to impersonate Windows Update traffic.
LunarMail, the second backdoor, uses PNG or PDF files to steal data from Outlook via email.
MITRE ATT&CK techniques
This table was built using version 15 of the MITRE ATT&CK framework.
TacticIDNameDescriptionReconnaissanceT1591Gather Victim Org InformationLunarMail’s communication method indicates prior knowledge about compromised institutions.Resource DevelopmentT1583.002Acquire Infrastructure: DNS ServerStage 0 macro pings a domain from free DNS hosting provided by ClouDNS.T1583.003Acquire Infrastructure: Virtual Private ServerTurla has used VPS hosting providers for C&C servers.T1584.003Compromise Infrastructure: Virtual Private ServerTurla has used compromised VPSes for C&C purposes.T1586.002Compromise Accounts: Email AccountsTurla has used likely compromised email accounts for communication with the LunarMail backdoor.T1587.001Develop Capabilities: MalwareTurla has developed custom malware, including loaders and backdoors.ExecutionT1047Windows Management InstrumentationLunarWeb obtains system information by using WMI queries.T1059Command and Scripting InterpreterLunarWeb and LunarMail can execute Lua scripts.T1059.001Command and Scripting Interpreter: PowerShellLunarWeb can execute PowerShell commands.T1059.003Command and Scripting Interpreter: Windows Command ShellLunarWeb can execute shell commands via cmd.exe.T1059.005Command and Scripting Interpreter: Visual BasicStage 0 Word document contains a VBA macro.T1106Native APILunarWeb and LunarMail use various Windows APIs.T1204.002User Execution: Malicious FileData from the Local SystemPersistenceT1137.006Office Application Startup: Add-insLunarMail loader is persisted as an Outlook add-in.T1547Boot or Logon Autostart ExecutionA LunarWeb loader is persisted as a Group Policy extension.T1574Hijack Execution FlowA LunarWeb loader is persisted by replacing the system DLL tapiperf.dll.Defense EvasionT1027Obfuscated Files or InformationLunarWeb and LunarMail are AES-256 encrypted on disk.T1027.003Obfuscated Files or Information: SteganographyLunarMail stages exfiltration data into a PNG image or PDF document.T1027.007Obfuscated Files or Information: Dynamic API ResolutionLunarMail dynamically resolves MAPI functions.T1027.009Obfuscated Files or Information: Embedded PayloadsLunarMail installer has payloads embedded in a DOCX format document.T1036.005Masquerading: Match Legitimate Name or LocationFilenames used by LunarWeb and LunarMail loading chains mimic legitimate files.T1070.004Indicator Removal: File DeletionLunarWeb and LunarMail can uninstall themselves by deleting their loading chain.T1070.008Indicator Removal: Clear Mailbox DataLunarMail deletes email messages used for C&C communications.T1140Deobfuscate/Decode Files or InformationLunarWeb and LunarMail decrypt their strings using RC4.T1480.001Execution Guardrails: Environmental KeyingLunarLoader decrypts its payload using a key derived from the DNS domain name.T1620Reflective Code LoadingLunarWeb and LunarMail are executed using a reflective loader.DiscoveryT1007System Service DiscoveryLunarWeb retrieves a list of services.T1016System Network Configuration DiscoveryLunarWeb retrieves network adapter information.T1057Process DiscoveryLunarWeb retrieves a list of running processes.T1082System Information DiscoveryLunarWeb retrieves system information such as OS version, BIOS version, domain name, and environment variables. LunarMail retrieves environment variables.T1518.001Software Discovery: Security Software DiscoveryLunarWeb discovers installed security solutions via the WMI query wmic /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get *.CollectionT1005LunarWeb and LunarMail use a statically linked Zlib library for compression of collected data.LunarWeb and LunarMail can upload files from the compromised machine.T1074.001Data Staged: Local Data StagingLunarMail stages data in a directory in %TEMP%.T1113Screen CaptureLunarMail can capture screenshots.T1114.001Email Collection: Local Email CollectionLunarMail collects recipients of sent email messages and can collect email addresses of Outlook profiles.T1560.002Archive Collected Data: Archive via LibraryLunarWeb and LunarMail use a statically linked Zlib library for the compression of collected data.Command and ControlT1001.002Data Obfuscation: SteganographyLunarWeb can receive commands hidden in JPG or GIF images. LunarMail receives commands hidden in PNG images and exfiltrates data hidden in PNG images or PDF documents.T1001.003Data Obfuscation: Protocol ImpersonationLunarWeb impersonates legitimate domains in C&C communications by using a fake Host header and known URIs.T1071.001Application Layer Protocol: Web ProtocolsLunarWeb uses HTTP for C&C communications.T1071.003Application Layer Protocol: Mail ProtocolsLunarMail uses email messages for C&C communications.T1090.001Proxy: Internal ProxyLunarWeb can use an HTTP proxy for C&C communications.T1095Non-Application Layer ProtocolStage 0 macro pings the C&C server, utilizing ICMP protocol.T1132.001Data Encoding: Standard EncodingLunarWeb may receive base64-encoded data from the C&C server.T1573.001Encrypted Channel: Symmetric CryptographyLunarWeb and LunarMail encrypt C&C communications using AES-256.T1573.002Encrypted Channel: Asymmetric CryptographyLunarWeb and LunarMail encrypt the AES key used in C&C communications using RSA-4096.ExfiltrationT1020Automated ExfiltrationLunarWeb and LunarMail automatically exfiltrate collected data to the C&C server.T1030Data Transfer Size LimitsLunarWeb splits exfiltrated data above 1.33 MB into multiple smaller chunks. LunarMail limits the size of email attachments containing exfiltrated data.T1041Exfiltration Over C2 ChannelLunarWeb and LunarMail exfiltrate data over the C&C channel.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
The post Turla APT Group Attacking European Ministry of Foreign Affairs appeared first on Cyber Security News.
