CyberSecurityBoard
Sponsor Register Login

Turla APT Group Attacking European Ministry of Foreign Affairs

LunarWeb and LunarMail were used to compromise a European MFA and its diplomatic missions.
Analyzers don't know the password, but the file sizes match the Stage 1 loader and Stage 2 blob with the LunarWeb backdoor.
Execution T1047 Windows Management Instrumentation LunarWeb obtains system information by using WMI queries.
T1547 Boot or Logon Autostart Execution A LunarWeb loader is persisted as a Group Policy extension.
T1574 Hijack Execution Flow A LunarWeb loader is persisted by replacing the system DLL tapiperf.
Defense Evasion T1027 Obfuscated Files or Information LunarWeb and LunarMail are AES-256 encrypted on disk.
005 Masquerading: Match Legitimate Name or Location Filenames used by LunarWeb and LunarMail loading chains mimic legitimate files.
004 Indicator Removal: File Deletion LunarWeb and LunarMail can uninstall themselves by deleting their loading chain.
T1140 Deobfuscate/Decode Files or Information LunarWeb and LunarMail decrypt their strings using RC4. T1480.
T1620 Reflective Code Loading LunarWeb and LunarMail are executed using a reflective loader.
T1082 System Information Discovery LunarWeb retrieves system information such as OS version, BIOS version, domain name, and environment variables.
001 Software Discovery: Security Software Discovery LunarWeb discovers installed security solutions via the WMI query wmic /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get *. Collection T1005 LunarWeb and LunarMail use a statically linked Zlib library for compression of collected data.
002 Archive Collected Data: Archive via Library LunarWeb and LunarMail use a statically linked Zlib library for the compression of collected data.
002 Data Obfuscation: Steganography LunarWeb can receive commands hidden in JPG or GIF images.
003 Data Obfuscation: Protocol Impersonation LunarWeb impersonates legitimate domains in C&C communications by using a fake Host header and known URIs.
001 Data Encoding: Standard Encoding LunarWeb may receive base64-encoded data from the C&C server.
002 Encrypted Channel: Asymmetric Cryptography LunarWeb and LunarMail encrypt the AES key used in C&C communications using RSA-4096.
Exfiltration T1020 Automated Exfiltration LunarWeb and LunarMail automatically exfiltrate collected data to the C&C server.
T1030 Data Transfer Size Limits LunarWeb splits exfiltrated data above 1.33 MB into multiple smaller chunks.
T1041 Exfiltration Over C2 Channel LunarWeb and LunarMail exfiltrate data over the C&C channel.


This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 15 May 2024 13:40:04 +0000


Cyber News related to Turla APT Group Attacking European Ministry of Foreign Affairs

Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
11 months ago Infosecurity-magazine.com
Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs - Russia-sponsored advanced persistent threat group Turla is now targeting Polish NGOs in a cyberespionage campaign that uses a freshly developed backdoor with modular capabilities, signaling an expansion of the scope of its attacks against supporters ...
8 months ago Darkreading.com
In Other News: MediSecure Hack, Scattered Spider Targeted by FBI, New Wi-Fi Attack - SecurityWeek's cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar. Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability ...
5 months ago Securityweek.com
State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
1 year ago Csoonline.com
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
11 months ago Techtarget.com
iSoon's Secret APT Status Exposes China's Foreign Hacking Machination - A trove of leaked documents has revealed the Chinese government works with private sector hackers to spy on foreign governments and companies, domestic dissidents, ethnic minorities, and more. On Feb. 16, an anonymous individual with unknown motives ...
8 months ago Darkreading.com
European firms urge China to give more clarity on data transfer laws - AP Moeller - Maersk A/S Siemens AG BEIJING, Nov 15 - European firms "Urgently" need China to give clearer definitions of key terms in its cross-border data transfer rules, a European business lobby group said on Wednesday, warning firms also stood to ...
11 months ago Reuters.com
Beijing fosters foreign influencers to spread its propaganda The Register - China is offering foreign influencers access to its vast market in return for content that sings its praises and helps to spreads Beijing's desired narratives more widely around the world, according to think tank the Australian Strategic Policy ...
11 months ago Theregister.com
Microsoft Cloud Users Store Personal Data In Europe - In effort to resolve privacy worries, Microsoft is to allow its cloud customers to store all personal data within EU. Microsoft has confirmed that it will allow cloud customers to store all their personal data within the European Union, in an effort ...
9 months ago Silicon.co.uk
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
1 month ago Securelist.com
Turla APT Group Attacking European Ministry of Foreign Affairs - LunarWeb and LunarMail were used to compromise a European MFA and its diplomatic missions. Analyzers don't know the password, but the file sizes match the Stage 1 loader and Stage 2 blob with the LunarWeb backdoor. Execution T1047 Windows Management ...
5 months ago Cybersecuritynews.com
North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence - North Korea-linked APT group Kimsuky has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems. “Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a ...
1 month ago Securityaffairs.com
Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group - The Russian cyber-espionage group known as Gamaredon may have been behind a phishing attack on Latvia's Ministry of Defense last week, the ministry told The Record on Friday. Hackers sent malicious emails to several employees of the ministry, ...
1 year ago Therecord.media
7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence — ENISA - 7th Cybersecurity Forum: Power grids cybersecurity ascending to prominence The Association of European Distribution System Operators (E.DSO), the European Energy Information Sharing and Analysis Centre (EE-ISAC), the European Network for Cyber ...
1 month ago Enisa.europa.eu
The who, where, and how of APT attacks - This week, ESET experts released several research publications that shone the spotlight on a number of notable attacks and broader developments on the threat landscape. First, their new APT Activity Report reviewed the key aspects of sophisticated ...
5 months ago Welivesecurity.com
Chinese hacking documents offer glimpse into state surveillance - Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government - a trove that catalogs apparent hacking ...
8 months ago Apnews.com
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
11 months ago Bleepingcomputer.com
EU Takes a Leap Forward with Cybersecurity Certification Scheme - The EUCC, or EU cybersecurity certification scheme, has an implementing rule that was adopted by the European Commission. The result is consistent with the cybersecurity certification methodology under consideration on EUCC, which was created by ...
9 months ago Cysecurity.news
Third Of European Businesses Have Adopted AI, AWS - AWS finds AI already adopted at sizeable number of European businesses, resulting in increased revenues, productivity. An insight into the adoption rate of artificial intelligence within the business community has been offered in a new report from ...
9 months ago Silicon.co.uk
New backdoors on a European government's network appear to be Russian - Two previously unknown backdoors likely deployed by a Russian state hacking group have been discovered compromising the foreign affairs ministry of a European country. Researchers with the Slovak cybersecurity firm ESET published a technical analysis ...
5 months ago Therecord.media
ESET APT Activity Report T3 2022 - ESET APT Activity Report T3 2022 summarizes the activities of selected advanced persistent threat groups that were observed, investigated, and analyzed by ESET researchers from September until the end of December 2022. In the monitored timespan, ...
1 year ago Welivesecurity.com
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs - We and our store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised advertising and content, advertising and content measurement, ...
5 months ago Securityaffairs.com
Poland says Russian military hackers target its govt networks - Poland says a state-backed threat group linked to Russia's military intelligence service has been targeting Polish government institutions throughout the week. According to evidence found by CSIRT MON, the country's Computer Security Incident ...
5 months ago Bleepingcomputer.com
Russian hackers target unpatched JetBrains TeamCity servers - Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned. APT 29, believed to ...
10 months ago Helpnetsecurity.com
SugarGh0st RAT Delivered via Malicious Windows & JavaScript - RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been ...
11 months ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)