C-level executives, diplomats, and high-ranking IT managers usually have access to sensitive information, huge amounts of data, finances, or a combination of all these things. And adversaries know it.

Anticipating all the precious data and access rights, cybercriminals and state-sponsored advanced persistent threat groups (APTs) are willing to invest a lot of time and money to orchestrate attacks that could compromise VIP devices and accounts. In this case, backdoors are particularly dangerous, because typically they have the capability to send files to the host computer, execute files and commands there, and exfiltrate (send) files and documents back to the attacker.

One of the latest examples of such an attack features several sophisticated and previously unknown backdoors called LunarWeb and LunarMail, which were recently described by ESET researchers and presented at the ESET World 2024 conference. Using advanced obfuscation techniques, they were deployed to spy on an undisclosed European ministry of foreign affairs. The attack is attributed with medium confidence to the Russia-aligned APT group Turla.

To protect against such attacks, organizations need to be proactive. This means not only training staff and deploying a reliable cybersecurity solution, but also having comprehensive cyberthreat intelligence helping them stay ahead of adversaries.  

VIPs are also threatened at home

According to a 2023 study conducted by BlackCloak and Ponemon Institute, senior-level corporate executives are increasingly being targeted by sophisticated cyberattacks. These include email compromise, ransomware, malware infection, doxing, extortion, online impersonation and even physical attacks, such as swatting.

Around 42% of surveyed organizations stated that their senior executive or an executive’s family member was attacked over the past two years. Attackers often went for sensitive company data, including financial information and intellectual property.

Cybercriminals did not hesitate to strike when their targets were the most vulnerable – at home with their loved ones. In one-third of reported cases, hackers reached executives through insecure home-office networks used during remote work.

Business email compromise (BEC) is one of the most used tactics against VIPs. It usually comprises a sophisticated scam targeting individuals performing transfers of funds and seeks to compromise legitimate business email accounts through social engineering and/or computer intrusion techniques.

According to the FBI’s Internet Crime Complaint Center (IC3) annual reports, BEC is among the costliest types of crime. In 2023, IC3 received 21,489 BEC complaints with adjusted losses of over $2.9 billion. Only investment crimes (such as pyramid schemes, real estate investment scams, or cryptocurrency investment scams) accumulated more losses than BEC in that year, with $4.7 billion reported stolen.

The Lunar toolset

ESET research on the Lunar toolset demonstrates how such carefully crafted spying can look.

The initial attack vector is not known, but recovered installation-related components and attacker activity suggest possible spearphishing with a malicious Word document and abuse of both a misconfigured network and the application monitoring software Zabbix.

Once access is gained, the backdoor installation process follows. It consists of dropping both a loader and a blob containing either LunarWeb or LunarMail, as well as setting up persistence.

From that point forward, data exfiltration can start. For example, the LunarWeb backdoor gathers data such as the OS serial name, environment variables, network adapters, a list of running processes, a list of services, or a list of installed security products, and sends them to a C&C server.

LunarWeb communicates with a C&C server using HTTP(S) underneath which is a custom binary protocol with encrypted content. ESET researchers only found LunarWeb deployed on servers, not user workstations.

LunarMail is similar, but instead of HTTP(S) it uses email messages for communication with its C&C server. This backdoor is designed to be deployed on user workstations, not servers – because it is persistent and intended to run as an Outlook add-in.

Staying under the radar

The APT group also has several tricks up its sleeve to conceal the malicious activities of deployed backdoors. 

• The loader uses RC4, a symmetric key cipher, to decrypt path to the blob and reads encrypted payloads from it.
• It also creates a decryption key derived from the DNS domain name, which it verifies. Using DNS domain name decryption means that the loader correctly executes only in the targeted organization, which may hinder analysis if the domain name is not known.
• LunarWeb limits initial contact attempts with the C&C server, assessing the backdoor’s lifespan, and checking C&C server accessibility. If any of the safety conditions fail, LunarWeb self-removes, deleting its files, including the loader and the blob.
• To hide its C&C communications, LunarWeb impersonates legitimate-looking traffic, spoofing HTTP headers with genuine domains and commonly used attributes. Notable examples of impersonation include Windows services (Teredo, Windows Update) and updates of ESET products.
• Both LunarWeb and LunarMail can receive commands hidden in images.
• To exfiltrate stolen data, LunarMail embeds them in a PNG image or PDF document. For PNG files, a template matching the compromised institution’s logo is used.
• LunarMail deletes email messages used for C&C communications.
• Both LunarWeb and LunarMail can uninstall themselves.

Image 1. Illustration of an exfiltration email with data hidden in the image.

How to protect VIPs

Being high-priority targets, VIPs should have an adequate high-priority protection in both office and home environments.

• Educate them and the rest of the staff – Technology alone cannot fully safeguard an organization, and the human element will always play a role. Only 9% of cybersecurity professionals participating on the Ponemon survey were highly confident that their CEO or executives would know how to protect their personal computer from viruses, and only 22% trusted them when it comes to securing personal emails.
• Secure their remote working – Because many VIPs are targeted in their home environment, it is necessary to secure their corporate devices, personal devices used for work, and home networks. This includes a use of strong passwords or passphrases, 2FA, regular updating, patching, and backing up data.
• Adopt a zero-trust approach – Take measures to efficiently screen every single point of access, both employee and device – internal and external. Naturally, CEOs and high-ranking managers need a lot of access to perform their duties, but it does not have to be unlimited. Evaluate how much privilege they really need to protect your institution’s data in cases when VIPs’ accounts are compromised.
• Deploy reliable cybersecurity – As the Lunar toolset shows, current cyberthreats operate above the security threshold of traditional firewalls, and more sophisticated security measures need to be adopted. Protection of C-level officials should include multilayered security and proactive defense benefiting from cyber threat intelligence.

ESET Threat intelligence monitors APT groups such as Turla, observing their tactics, techniques, and procedures (TTPs) in order to help organizations prepare for APTs’ new tricks and to also understand their motives. Thanks to comprehensive ESET reports and curated feeds, organizations can anticipate threats and make faster, better decisions.

Facing the big guns

VIPs are prized trophies for cybercriminals and APTs, be they for financial gain or political reasons. Therefore, they often bring their biggest guns to compromise targets’ accounts and devices.

This means that organizations need to build an awareness culture among their employees and protect their devices with the latest technology. ESET solutions and services can help with that.

by Roman Cuprik, ESET