LunarMail

LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.[1]

ID: S1142
Type: MALWARE
Platforms: Windows
Contributors: Riku Katsuse, NEC Corporation; Sareena Karapoola, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 26 June 2024
Last Modified: 16 August 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

LunarMail can communicates with C2 using email messages via the Outlook Messaging API (MAPI).[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

LunarMail has been installed using a VBA macro.[1]

Enterprise T1543 Create or Modify System Process

LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory.[1]

Enterprise T1001 .002 Data Obfuscation: Steganography

LunarMail can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

LunarMail can create a directory in %TEMP%\ to stage data prior to exfilration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

LunarMail can decrypt strings to retrieve configuration settings.[1]

Enterprise T1114 .001 Email Collection: Local Email Collection

LunarMail can capture the recipients of sent email messages from compromised accounts.[1]

Enterprise T1041 Exfiltration Over C2 Channel

LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration.[1]

Enterprise T1083 File and Directory Discovery

LunarMail can search its staging directory for output files it has produced.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

LunarMail can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.[1]

.008 Indicator Removal: Clear Mailbox Data

LunarMail can set the PR_DELETE_AFTER_SUBMIT flag to delete messages sent for data exfiltration.[1]

Enterprise T1095 Non-Application Layer Protocol

LunarMail can ping a specific C2 URL with the ID of a victim machine in the subdomain.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.[1]

Enterprise T1137 .006 Office Application Startup: Add-ins

LunarMail has the ability to use Outlook add-ins for persistence.[1]

Enterprise T1113 Screen Capture

LunarMail can capture screenshots from compromised hosts.[1]

Enterprise T1082 System Information Discovery

LunarMail can capture environmental variables on compromised hosts.[1]

Enterprise T1204 .002 User Execution: Malicious File

LunarMail has been installed through a malicious macro in a Microsoft Word document.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[1]

References