Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

LunarWeb (Backdoor) – Malware

May 16, 2024
Reading Time: 17 mins read
in Malware
LunarWeb (Backdoor) – Malware

LunarWeb

Addittional names

LunarLoader

Type of Malware

Backdoor

Date of initial activity

at least 2020

Country of Origin

Russia

Targeted Countries

European Union

Associated Groups

Turla

Motivation

Cyberespionage

Attack Vectors

Recovered installation-related components and attacker activity suggest possible spearphishing and abuse of misconfigured network and application monitoring software Zabbix.

Targeted System

Windows

Tools

DLL Components

App_Web_0bm4blbr.dll
gpgol.dll
tapiperf.dll
Malicious Macros and Scripts

VBA/TrojanDownloader.Agent.ZJC
Payloads

Win32/LunarWeb.A
Win64/LunarMail.A
Win32/LunarMail.A
Win64/LunarWeb.A
State Files and Blobs

DynamicAuth.bin
admpwd.cache
adcache.clb
perfcache.dat
tempkeys.dat
Network Communication

Free DNS Services (e.g., thedarktower.av.master.dns-cloud.net)
C2 Servers (e.g., Akamai Connected Cloud, Hetzner Online GmbH, Host Department NJ, LLC, IONOS SE, Contabo GmbH, Webglobe, a.s.)
Reflective Code Loading

LunarWeb and LunarMail reflective loaders

Variants

Win64/LunarLoader.B
Win32/LunarLoader.A
Win64/LunarLoader.C
Win32/LunarWeb.A
Win64/LunarWeb.A

Overview

LunarWeb is a sophisticated malware backdoor that primarily targets Windows-based systems. It is known for its advanced capabilities in persistence, command and control (C2), and data exfiltration. The malware is typically delivered through various means, including malicious Word documents containing VBA macros, which, when executed, download and install the payload. LunarWeb’s primary function is to maintain long-term access to the compromised systems, allowing attackers to gather sensitive information and execute arbitrary commands. One of the notable features of LunarWeb is its use of reflective code loading, which enables the malware to execute without being written to disk. This technique helps evade detection by traditional antivirus solutions and makes forensic analysis more challenging. LunarWeb also employs various obfuscation methods, such as AES-256 encryption for stored files and communications, and the use of legitimate-looking filenames and locations to masquerade as benign software components. For instance, the loader may replace system DLLs, like tapiperf.dll, to ensure its execution during system startup or user login. LunarWeb’s persistence mechanisms are robust, utilizing multiple methods to ensure it remains active on infected systems. It can be loaded through a trojanized version of the AdmPwd DLL or persisted as a Group Policy extension, making it difficult to remove without thorough system cleaning. Additionally, LunarWeb employs steganography for command and control communications, embedding commands within image files such as JPG or GIFs, and using standard web protocols to communicate with its C2 servers. This not only obfuscates its activities but also helps it blend with regular network traffic, further evading detection. The malware’s ability to discover and gather information about the infected system is another critical aspect. It can retrieve system details, network configurations, running processes, and installed software, including security solutions. This reconnaissance capability allows attackers to tailor their activities to the specific environment, enhancing the effectiveness of their operations. LunarWeb also supports data exfiltration, compressing and encrypting collected data before sending it to the C2 servers, ensuring that sensitive information is securely transmitted.

Targets

European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad

How they operate

In the ever-evolving landscape of cybersecurity, new threats emerge continuously, challenging defenders to stay vigilant and proactive. Two such formidable adversaries, LunarWeb and LunarMail, have recently come under scrutiny for their sophisticated techniques and persistent infiltration strategies. These malware families are associated with the advanced persistent threat (APT) group known as Turla, renowned for their complex operations targeting a variety of sectors globally. LunarWeb and LunarMail, though distinct in their deployment and functionalities, share a common goal: to compromise and maintain persistent access to target systems. LunarWeb operates primarily as a web backdoor, enabling attackers to execute commands remotely, gather system information, and upload files from the compromised machine. Its loader components, known as LunarLoader, come in various versions such as Win64/LunarLoader.B, Win32/LunarLoader.A, and Win64/LunarLoader.C, highlighting the adaptability and wide reach of this malware. On the other hand, LunarMail targets email systems, often embedding itself as an Outlook add-in. This variant employs Visual Basic for Applications (VBA) macros to install its payload, a tactic that aligns with Turla’s penchant for leveraging legitimate tools for malicious purposes. Once installed, LunarMail can collect email data, capture screenshots, and execute commands hidden within images, showcasing its sophisticated data exfiltration methods. Its variants, Win64/LunarMail.A and Win32/LunarMail.A, reflect the malware’s flexibility across different operating environments. The tactics, techniques, and procedures (TTPs) employed by LunarWeb and LunarMail are mapped extensively within the MITRE ATT&CK framework, a globally recognized knowledge base of adversarial behaviors. These TTPs include reconnaissance activities such as gathering victim organization information (T1591), leveraging compromised infrastructure like virtual private servers (T1583.003), and sophisticated execution methods utilizing Windows Management Instrumentation (T1047) and PowerShell (T1059.001). Persistence is achieved through hijacking execution flow (T1574) and embedding malicious add-ins (T1137.006), while defense evasion is facilitated by obfuscation techniques (T1027) and dynamic API resolution (T1027.007). Discovery tactics deployed by these malware families involve system service and network configuration discovery (T1007, T1016), allowing attackers to map out the victim’s environment thoroughly. For data collection, LunarWeb and LunarMail are capable of staging local data (T1074.001), capturing screen content (T1113), and extracting email information (T1114.001). Command and control (C2) communications are maintained through obfuscated protocols and encrypted channels (T1573.001, T1573.002), ensuring stealthy and secure data exfiltration (T1041). The comprehensive analysis of LunarWeb and LunarMail underscores the complexity and resilience of modern cyber threats. Organizations must adopt a multi-layered defense strategy, incorporating advanced detection tools, regular threat intelligence updates, and robust incident response plans. Understanding the intricate workings of these malware families is a crucial step towards fortifying defenses and safeguarding sensitive data against such sophisticated adversaries. As cyber threats continue to evolve, so must the strategies and technologies employed to counter them, ensuring a secure digital landscape for all.

MITRE tactics and techniques

Reconnaissance: T1591: Gather Victim Org Information Resource Development: T1583.002: Acquire Infrastructure: DNS Server T1583.003: Acquire Infrastructure: Virtual Private Server T1584.003: Compromise Infrastructure: Virtual Private Server T1586.002: Compromise Accounts: Email Accounts T1587.001: Develop Capabilities: Malware Execution: T1047: Windows Management Instrumentation T1059: Command and Scripting Interpreter T1059.001: Command and Scripting Interpreter: PowerShell T1059.003: Command and Scripting Interpreter: Windows Command Shell T1059.005: Command and Scripting Interpreter: Visual Basic T1106: Native API T1204.002: User Execution: Malicious File Persistence: T1137.006: Office Application Startup: Add-ins T1547: Boot or Logon Autostart Execution T1574: Hijack Execution Flow Defense Evasion: T1027: Obfuscated Files or Information T1027.003: Obfuscated Files or Information: Steganography T1027.007: Obfuscated Files or Information: Dynamic API Resolution T1027.009: Obfuscated Files or Information: Embedded Payloads T1036.005: Masquerading: Match Legitimate Name or Location T1070.004: Indicator Removal: File Deletion T1070.008: Indicator Removal: Clear Mailbox Data T1140: Deobfuscate/Decode Files or Information T1480.001: Execution Guardrails: Environmental Keying T1620: Reflective Code Loading Discovery: T1007: System Service Discovery T1016: System Network Configuration Discovery T1057: Process Discovery T1082: System Information Discovery T1518.001: Software Discovery: Security Software Discovery Collection: T1005: Data from Local System T1074.001: Data Staged: Local Data Staging T1113: Screen Capture T1114.001: Email Collection: Local Email Collection T1560.002: Archive Collected Data: Archive via Library Command and Control: T1001.002: Data Obfuscation: Steganography T1001.003: Data Obfuscation: Protocol Impersonation T1071.001: Application Layer Protocol: Web Protocols T1071.003: Application Layer Protocol: Mail Protocols T1090.001: Proxy: Internal Proxy T1095: Non-Application Layer Protocol T1132.001: Data Encoding: Standard Encoding T1573.001: Encrypted Channel: Symmetric Cryptography T1573.002: Encrypted Channel: Asymmetric Cryptography Exfiltration: T1020: Automated Exfiltration T1030: Data Transfer Size Limits T1041: Exfiltration Over C2 Channel
References:
  • To the Moon and back(doors): Lunar landing in diplomatic missions
  • LunarWeb and LunarMail Backdoors Used by Turla Group to Target Diplomatic Missions – Active IOCs
  • Turla APT Hackers Target EU Foreign Affairs With ‘LunarMail’ Backdoor
Tags: APTBackdoorEuropeEuropean UnionLunarLoaderLunarMailLunarWebMalwareMFAMinistry of Foreign AffairsRussiaTrojanTurla
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Fake Sora AI Lure Installs Infostealer

FIN6 Uses Fake Resumes To Hack Recruiters

Microsoft Fixes Exploited WebDAV Zero Day

Google Bug Exposed Any User’s Phone Number

Roundcube RCE Flaw Risks 84,000 Servers

New Skitnet Malware Arms Ransomware Gangs

Subscribe to our newsletter

    Latest Incidents

    BHA Hit By Ransomware But Races Continue

    Sompo Data Breach Puts 17.5M Records At Risk

    DDoS Disrupts Roularta Media In Belgium

    Texas DOT Breach Leaks 300K Crash Reports

    Illinois HFS Employee Phishing Leaks Data

    Cyberattack Disrupts UNFI Food Deliveries

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial