Lunarweb

LunarWeb is a sophisticated threat actor identified by ESET researchers, linked to Russian state interests. The group was first observed in 2020 and has been associated with two previously unknown backdoors, LunarWeb and LunarMail, which were utilized to breach the European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad. LunarWeb is deployed on servers and uses HTTP(S) for its Command & Control (C&C) communications, mimicking legitimate requests, while LunarMail is deployed on workstations as an Outlook add-in and uses email messages for its C&C communications. These backdoors have shown advanced capabilities like steganography and Lua scripting. The LunarWeb component demonstrated complex evasion techniques, including impersonating Zabbix logs and retrieving Zabbix agent configuration. It also employs multiple persistence methods such as creating Group Policy extensions, replacing System DLLs, and deploying as part of legitimate software. To further conceal its activities, LunarWeb spoofs HTTP headers with genuine domains and commonly used attributes to mimic legitimate-looking traffic. In addition, LunarWeb can execute shell and PowerShell commands, gather system information, run Lua code, and exfiltrate data in AES-256 encrypted form. ESET's research revealed that LunarWeb had been simultaneously deployed at three diplomatic institutions of the MFA in the Middle East within minutes of each other, suggesting that the attacker likely had prior access to the domain controller of the MFA and used it for lateral movement to machines of related institutions in the same network. This level of coordination and sophistication underscores the significant threat posed by LunarWeb, necessitating robust cybersecurity measures to mitigate potential damage.