LunarMail

Type of Malware

Backdoor

Date of initial activity

at least 2020

Country of Origin

Russia

Targeted Countries

European Union

Associated Groups

Turla

Motivation

Cyberespionage

Attack Vectors

LunarMail is propagated through a malicious Microsoft Word document sent via a spear-phishing email, which, in turn, packs LunarLoader and the backdoor.

Targeted System

Windows

Variants

Win64/LunarMail.A
Win32/LunarMail.A
VBA/TrojanDownloader.Agent.ZJC
MSIL/Agent.ERT

Overview

LunarMail is a highly sophisticated backdoor malware that has been making waves in the cybersecurity community due to its advanced capabilities and stealthy operations. Primarily targeting Windows-based systems, LunarMail is designed to provide attackers with persistent access to compromised machines, enabling them to execute arbitrary commands, collect sensitive information, and exfiltrate data. This malware is typically distributed through malicious Word documents embedded with VBA macros, which, once opened, download and install the LunarMail payload. One of the standout features of LunarMail is its use of reflective code loading. This technique allows the malware to run in memory without being written to the disk, significantly reducing the chances of detection by traditional antivirus software. LunarMail further enhances its stealth with AES-256 encryption for both its stored files and its communication with command and control (C2) servers. The malware also uses legitimate-looking filenames and locations to masquerade as benign software components, making it difficult for defenders to identify and remove it. Persistence is a critical aspect of LunarMail’s functionality. The malware ensures it remains active on infected systems through various methods, including being loaded as an Outlook add-in or using a trojanized version of the AdmPwd DLL. By embedding itself within common system processes and leveraging the Windows Management Instrumentation (WMI) for execution, LunarMail can seamlessly integrate into the operating environment, making it resilient against removal attempts. Furthermore, LunarMail employs steganography for C2 communications, hiding commands within PNG images and exfiltrating data in a similarly concealed manner. This not only obfuscates its activities but also helps it evade network monitoring tools. LunarMail’s reconnaissance capabilities are particularly concerning. The malware can gather extensive information about the infected system, including environment variables, network configurations, and security software details. This information allows attackers to adapt their tactics to the specific environment, increasing the effectiveness of their operations. LunarMail also has the ability to capture screenshots and collect email addresses from Outlook profiles, further enhancing its data collection capabilities. Once the data is gathered, it is compressed and encrypted before being sent to the C2 servers, ensuring that sensitive information is securely transmitted. The use of LunarMail by attackers indicates a high level of sophistication and intent. Its ability to maintain long-term access, evade detection, and securely exfiltrate data makes it a formidable threat. Organizations must adopt a multi-layered security approach to defend against such advanced threats. This includes the implementation of advanced threat detection and response solutions, regular security audits, and comprehensive employee training to recognize and avoid phishing attempts. In conclusion, LunarMail represents a significant evolution in malware technology, combining advanced techniques for persistence, stealth, and data exfiltration. Its capabilities highlight the need for continuous improvement in cybersecurity measures and the importance of staying informed about emerging threats. As cybercriminals continue to develop more sophisticated tools, the cybersecurity community must remain vigilant and proactive in defending against such threats.

Targets

European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad

How they operate

LunarMail, a sophisticated backdoor malware, has emerged as a formidable threat in the cybersecurity landscape, primarily targeting Windows-based systems. Its intricate operation, stealth techniques, and persistent capabilities make it a significant concern for security professionals. Distributed through malicious Word documents embedded with VBA macros, LunarMail is designed to give attackers long-term access to compromised systems, allowing them to execute commands, gather sensitive information, and exfiltrate data with minimal risk of detection. Once a victim opens the malicious Word document, the embedded macro initiates the download and installation of the LunarMail payload. One of the malware’s standout features is its use of reflective code loading, which allows it to run directly from memory without being written to disk. This technique significantly reduces the likelihood of detection by traditional antivirus software. Additionally, LunarMail employs AES-256 encryption for its stored files and communications with command and control (C2) servers, further enhancing its stealth. Persistence is a critical component of LunarMail’s operation. The malware ensures it remains active on infected systems through various methods, including being loaded as an Outlook add-in or using a trojanized version of the AdmPwd DLL. By embedding itself within common system processes and leveraging Windows Management Instrumentation (WMI) for execution, LunarMail seamlessly integrates into the operating environment. This makes it resilient against removal attempts and allows it to operate undetected for extended periods. LunarMail’s use of steganography for C2 communications is particularly noteworthy. The malware hides its commands within PNG images and exfiltrates data in a similarly concealed manner. This approach not only obfuscates its activities but also helps it evade network monitoring tools. By mimicking legitimate network traffic, LunarMail’s communications blend in with normal operations, making it difficult for security professionals to identify and block malicious activities. The reconnaissance capabilities of LunarMail are extensive and concerning. The malware can gather detailed information about the infected system, including environment variables, network configurations, and installed security software. It can also capture screenshots and collect email addresses from Outlook profiles. This collected data is then compressed and encrypted before being transmitted to the C2 servers, ensuring that sensitive information is securely exfiltrated. LunarMail’s ability to adapt to the specific environment of the compromised system increases the effectiveness of the attackers’ operations.

MITRE tactics and techniques

Reconnaissance: T1591: Gather Victim Org Information Resource Development: T1583.002: Acquire Infrastructure: DNS Server T1583.003: Acquire Infrastructure: Virtual Private Server T1584.003: Compromise Infrastructure: Virtual Private Server T1586.002: Compromise Accounts: Email Accounts T1587.001: Develop Capabilities: Malware Execution: T1047: Windows Management Instrumentation T1059: Command and Scripting Interpreter T1059.001: Command and Scripting Interpreter: PowerShell T1059.003: Command and Scripting Interpreter: Windows Command Shell T1059.005: Command and Scripting Interpreter: Visual Basic T1106: Native API T1204.002: User Execution: Malicious File Persistence: T1137.006: Office Application Startup: Add-ins T1547: Boot or Logon Autostart Execution T1574: Hijack Execution Flow Defense Evasion: T1027: Obfuscated Files or Information T1027.003: Obfuscated Files or Information: Steganography T1027.007: Obfuscated Files or Information: Dynamic API Resolution T1027.009: Obfuscated Files or Information: Embedded Payloads T1036.005: Masquerading: Match Legitimate Name or Location T1070.004: Indicator Removal: File Deletion T1070.008: Indicator Removal: Clear Mailbox Data T1140: Deobfuscate/Decode Files or Information T1480.001: Execution Guardrails: Environmental Keying T1620: Reflective Code Loading Discovery: T1007: System Service Discovery T1016: System Network Configuration Discovery T1057: Process Discovery T1082: System Information Discovery T1518.001: Software Discovery: Security Software Discovery Collection: T1005: Data from Local System T1074.001: Data Staged: Local Data Staging T1113: Screen Capture T1114.001: Email Collection: Local Email Collection T1560.002: Archive Collected Data: Archive via Library Command and Control: T1001.002: Data Obfuscation: Steganography T1001.003: Data Obfuscation: Protocol Impersonation T1071.001: Application Layer Protocol: Web Protocols T1071.003: Application Layer Protocol: Mail Protocols T1090.001: Proxy: Internal Proxy T1095: Non-Application Layer Protocol T1132.001: Data Encoding: Standard Encoding T1573.001: Encrypted Channel: Symmetric Cryptography T1573.002: Encrypted Channel: Asymmetric Cryptography Exfiltration: T1020: Automated Exfiltration T1030: Data Transfer Size Limits T1041: Exfiltration Over C2 Channel

References:

• To the Moon and back(doors): Lunar landing in diplomatic missions

• LunarWeb and LunarMail Backdoors Used by Turla Group to Target Diplomatic Missions – Active IOCs

• Turla APT Hackers Target EU Foreign Affairs With ‘LunarMail’ Backdoor

The post LunarMail (Backdoor) – Malware first appeared on CyberMaterial.