LunarMail | |
Type of Malware | Backdoor |
Date of initial activity | at least 2020 |
Country of Origin | Russia |
Targeted Countries | European Union |
Associated Groups | Turla |
Motivation | Cyberespionage |
Attack Vectors | LunarMail is propagated through a malicious Microsoft Word document sent via a spear-phishing email, which, in turn, packs LunarLoader and the backdoor. |
Targeted System | Windows |
Variants | Win64/LunarMail.A |
Overview
LunarMail is a highly sophisticated backdoor malware that has been making waves in the cybersecurity community due to its advanced capabilities and stealthy operations. Primarily targeting Windows-based systems, LunarMail is designed to provide attackers with persistent access to compromised machines, enabling them to execute arbitrary commands, collect sensitive information, and exfiltrate data. This malware is typically distributed through malicious Word documents embedded with VBA macros, which, once opened, download and install the LunarMail payload.
One of the standout features of LunarMail is its use of reflective code loading. This technique allows the malware to run in memory without being written to the disk, significantly reducing the chances of detection by traditional antivirus software. LunarMail further enhances its stealth with AES-256 encryption for both its stored files and its communication with command and control (C2) servers. The malware also uses legitimate-looking filenames and locations to masquerade as benign software components, making it difficult for defenders to identify and remove it.
Persistence is a critical aspect of LunarMail’s functionality. The malware ensures it remains active on infected systems through various methods, including being loaded as an Outlook add-in or using a trojanized version of the AdmPwd DLL. By embedding itself within common system processes and leveraging the Windows Management Instrumentation (WMI) for execution, LunarMail can seamlessly integrate into the operating environment, making it resilient against removal attempts. Furthermore, LunarMail employs steganography for C2 communications, hiding commands within PNG images and exfiltrating data in a similarly concealed manner. This not only obfuscates its activities but also helps it evade network monitoring tools.
LunarMail’s reconnaissance capabilities are particularly concerning. The malware can gather extensive information about the infected system, including environment variables, network configurations, and security software details. This information allows attackers to adapt their tactics to the specific environment, increasing the effectiveness of their operations. LunarMail also has the ability to capture screenshots and collect email addresses from Outlook profiles, further enhancing its data collection capabilities. Once the data is gathered, it is compressed and encrypted before being sent to the C2 servers, ensuring that sensitive information is securely transmitted.
The use of LunarMail by attackers indicates a high level of sophistication and intent. Its ability to maintain long-term access, evade detection, and securely exfiltrate data makes it a formidable threat. Organizations must adopt a multi-layered security approach to defend against such advanced threats. This includes the implementation of advanced threat detection and response solutions, regular security audits, and comprehensive employee training to recognize and avoid phishing attempts.
In conclusion, LunarMail represents a significant evolution in malware technology, combining advanced techniques for persistence, stealth, and data exfiltration. Its capabilities highlight the need for continuous improvement in cybersecurity measures and the importance of staying informed about emerging threats. As cybercriminals continue to develop more sophisticated tools, the cybersecurity community must remain vigilant and proactive in defending against such threats.
Targets
European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad
How they operate
LunarMail, a sophisticated backdoor malware, has emerged as a formidable threat in the cybersecurity landscape, primarily targeting Windows-based systems. Its intricate operation, stealth techniques, and persistent capabilities make it a significant concern for security professionals. Distributed through malicious Word documents embedded with VBA macros, LunarMail is designed to give attackers long-term access to compromised systems, allowing them to execute commands, gather sensitive information, and exfiltrate data with minimal risk of detection.
Once a victim opens the malicious Word document, the embedded macro initiates the download and installation of the LunarMail payload. One of the malware’s standout features is its use of reflective code loading, which allows it to run directly from memory without being written to disk. This technique significantly reduces the likelihood of detection by traditional antivirus software. Additionally, LunarMail employs AES-256 encryption for its stored files and communications with command and control (C2) servers, further enhancing its stealth.
Persistence is a critical component of LunarMail’s operation. The malware ensures it remains active on infected systems through various methods, including being loaded as an Outlook add-in or using a trojanized version of the AdmPwd DLL. By embedding itself within common system processes and leveraging Windows Management Instrumentation (WMI) for execution, LunarMail seamlessly integrates into the operating environment. This makes it resilient against removal attempts and allows it to operate undetected for extended periods.
LunarMail’s use of steganography for C2 communications is particularly noteworthy. The malware hides its commands within PNG images and exfiltrates data in a similarly concealed manner. This approach not only obfuscates its activities but also helps it evade network monitoring tools. By mimicking legitimate network traffic, LunarMail’s communications blend in with normal operations, making it difficult for security professionals to identify and block malicious activities.
The reconnaissance capabilities of LunarMail are extensive and concerning. The malware can gather detailed information about the infected system, including environment variables, network configurations, and installed security software. It can also capture screenshots and collect email addresses from Outlook profiles. This collected data is then compressed and encrypted before being transmitted to the C2 servers, ensuring that sensitive information is securely exfiltrated. LunarMail’s ability to adapt to the specific environment of the compromised system increases the effectiveness of the attackers’ operations.
MITRE tactics and techniques
Reconnaissance:
T1591: Gather Victim Org Information
Resource Development:
T1583.002: Acquire Infrastructure: DNS Server
T1583.003: Acquire Infrastructure: Virtual Private Server
T1584.003: Compromise Infrastructure: Virtual Private Server
T1586.002: Compromise Accounts: Email Accounts
T1587.001: Develop Capabilities: Malware
Execution:
T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1059.005: Command and Scripting Interpreter: Visual Basic
T1106: Native API
T1204.002: User Execution: Malicious File
Persistence:
T1137.006: Office Application Startup: Add-ins
T1547: Boot or Logon Autostart Execution
T1574: Hijack Execution Flow
Defense Evasion:
T1027: Obfuscated Files or Information
T1027.003: Obfuscated Files or Information: Steganography
T1027.007: Obfuscated Files or Information: Dynamic API Resolution
T1027.009: Obfuscated Files or Information: Embedded Payloads
T1036.005: Masquerading: Match Legitimate Name or Location
T1070.004: Indicator Removal: File Deletion
T1070.008: Indicator Removal: Clear Mailbox Data
T1140: Deobfuscate/Decode Files or Information
T1480.001: Execution Guardrails: Environmental Keying
T1620: Reflective Code Loading
Discovery:
T1007: System Service Discovery
T1016: System Network Configuration Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1518.001: Software Discovery: Security Software Discovery
Collection:
T1005: Data from Local System
T1074.001: Data Staged: Local Data Staging
T1113: Screen Capture
T1114.001: Email Collection: Local Email Collection
T1560.002: Archive Collected Data: Archive via Library
Command and Control:
T1001.002: Data Obfuscation: Steganography
T1001.003: Data Obfuscation: Protocol Impersonation
T1071.001: Application Layer Protocol: Web Protocols
T1071.003: Application Layer Protocol: Mail Protocols
T1090.001: Proxy: Internal Proxy
T1095: Non-Application Layer Protocol
T1132.001: Data Encoding: Standard Encoding
T1573.001: Encrypted Channel: Symmetric Cryptography
T1573.002: Encrypted Channel: Asymmetric Cryptography
Exfiltration:
T1020: Automated Exfiltration
T1030: Data Transfer Size Limits
T1041: Exfiltration Over C2 Channel
