LunarLoader
LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla since at least 2020 including against a European ministry of foreign affairs (MFA). LunarLoader has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
LunarLoader can deobfuscate files containing the next stages in the infection chain.[1] |
|
| Enterprise | T1480 | Execution Guardrails |
LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets.[1] |
|
| Enterprise | T1137 | .006 | Office Application Startup: Add-ins |
LunarLoader has the ability to use Microsoft Outlook add-ins to establish persistence. [1] |
| Enterprise | T1620 | Reflective Code Loading |
LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
LunarLoader can verify the targeted host's DNS name which is then used in the creation of a decyrption key.[1] |
|