LunarWeb | |
Addittional names | LunarLoader |
Type of Malware | Backdoor |
Date of initial activity | at least 2020 |
Country of Origin | Russia |
Targeted Countries | European Union |
Associated Groups | Turla |
Motivation | Cyberespionage |
Attack Vectors | Recovered installation-related components and attacker activity suggest possible spearphishing and abuse of misconfigured network and application monitoring software Zabbix. |
Targeted System | Windows |
Tools | DLL Components App_Web_0bm4blbr.dll VBA/TrojanDownloader.Agent.ZJC Win32/LunarWeb.A DynamicAuth.bin Free DNS Services (e.g., thedarktower.av.master.dns-cloud.net) LunarWeb and LunarMail reflective loaders |
Variants | Win64/LunarLoader.B |
Overview
LunarWeb is a sophisticated malware backdoor that primarily targets Windows-based systems. It is known for its advanced capabilities in persistence, command and control (C2), and data exfiltration. The malware is typically delivered through various means, including malicious Word documents containing VBA macros, which, when executed, download and install the payload. LunarWeb’s primary function is to maintain long-term access to the compromised systems, allowing attackers to gather sensitive information and execute arbitrary commands.
One of the notable features of LunarWeb is its use of reflective code loading, which enables the malware to execute without being written to disk. This technique helps evade detection by traditional antivirus solutions and makes forensic analysis more challenging. LunarWeb also employs various obfuscation methods, such as AES-256 encryption for stored files and communications, and the use of legitimate-looking filenames and locations to masquerade as benign software components. For instance, the loader may replace system DLLs, like tapiperf.dll, to ensure its execution during system startup or user login.
LunarWeb’s persistence mechanisms are robust, utilizing multiple methods to ensure it remains active on infected systems. It can be loaded through a trojanized version of the AdmPwd DLL or persisted as a Group Policy extension, making it difficult to remove without thorough system cleaning. Additionally, LunarWeb employs steganography for command and control communications, embedding commands within image files such as JPG or GIFs, and using standard web protocols to communicate with its C2 servers. This not only obfuscates its activities but also helps it blend with regular network traffic, further evading detection.
The malware’s ability to discover and gather information about the infected system is another critical aspect. It can retrieve system details, network configurations, running processes, and installed software, including security solutions. This reconnaissance capability allows attackers to tailor their activities to the specific environment, enhancing the effectiveness of their operations. LunarWeb also supports data exfiltration, compressing and encrypting collected data before sending it to the C2 servers, ensuring that sensitive information is securely transmitted.
Targets
European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad
How they operate
In the ever-evolving landscape of cybersecurity, new threats emerge continuously, challenging defenders to stay vigilant and proactive. Two such formidable adversaries, LunarWeb and LunarMail, have recently come under scrutiny for their sophisticated techniques and persistent infiltration strategies. These malware families are associated with the advanced persistent threat (APT) group known as Turla, renowned for their complex operations targeting a variety of sectors globally.
LunarWeb and LunarMail, though distinct in their deployment and functionalities, share a common goal: to compromise and maintain persistent access to target systems. LunarWeb operates primarily as a web backdoor, enabling attackers to execute commands remotely, gather system information, and upload files from the compromised machine. Its loader components, known as LunarLoader, come in various versions such as Win64/LunarLoader.B, Win32/LunarLoader.A, and Win64/LunarLoader.C, highlighting the adaptability and wide reach of this malware.
On the other hand, LunarMail targets email systems, often embedding itself as an Outlook add-in. This variant employs Visual Basic for Applications (VBA) macros to install its payload, a tactic that aligns with Turla’s penchant for leveraging legitimate tools for malicious purposes. Once installed, LunarMail can collect email data, capture screenshots, and execute commands hidden within images, showcasing its sophisticated data exfiltration methods. Its variants, Win64/LunarMail.A and Win32/LunarMail.A, reflect the malware’s flexibility across different operating environments.
The tactics, techniques, and procedures (TTPs) employed by LunarWeb and LunarMail are mapped extensively within the MITRE ATT&CK framework, a globally recognized knowledge base of adversarial behaviors. These TTPs include reconnaissance activities such as gathering victim organization information (T1591), leveraging compromised infrastructure like virtual private servers (T1583.003), and sophisticated execution methods utilizing Windows Management Instrumentation (T1047) and PowerShell (T1059.001). Persistence is achieved through hijacking execution flow (T1574) and embedding malicious add-ins (T1137.006), while defense evasion is facilitated by obfuscation techniques (T1027) and dynamic API resolution (T1027.007).
Discovery tactics deployed by these malware families involve system service and network configuration discovery (T1007, T1016), allowing attackers to map out the victim’s environment thoroughly. For data collection, LunarWeb and LunarMail are capable of staging local data (T1074.001), capturing screen content (T1113), and extracting email information (T1114.001). Command and control (C2) communications are maintained through obfuscated protocols and encrypted channels (T1573.001, T1573.002), ensuring stealthy and secure data exfiltration (T1041).
The comprehensive analysis of LunarWeb and LunarMail underscores the complexity and resilience of modern cyber threats. Organizations must adopt a multi-layered defense strategy, incorporating advanced detection tools, regular threat intelligence updates, and robust incident response plans. Understanding the intricate workings of these malware families is a crucial step towards fortifying defenses and safeguarding sensitive data against such sophisticated adversaries. As cyber threats continue to evolve, so must the strategies and technologies employed to counter them, ensuring a secure digital landscape for all.
MITRE tactics and techniques
Reconnaissance:
T1591: Gather Victim Org Information
Resource Development:
T1583.002: Acquire Infrastructure: DNS Server
T1583.003: Acquire Infrastructure: Virtual Private Server
T1584.003: Compromise Infrastructure: Virtual Private Server
T1586.002: Compromise Accounts: Email Accounts
T1587.001: Develop Capabilities: Malware
Execution:
T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1059.005: Command and Scripting Interpreter: Visual Basic
T1106: Native API
T1204.002: User Execution: Malicious File
Persistence:
T1137.006: Office Application Startup: Add-ins
T1547: Boot or Logon Autostart Execution
T1574: Hijack Execution Flow
Defense Evasion:
T1027: Obfuscated Files or Information
T1027.003: Obfuscated Files or Information: Steganography
T1027.007: Obfuscated Files or Information: Dynamic API Resolution
T1027.009: Obfuscated Files or Information: Embedded Payloads
T1036.005: Masquerading: Match Legitimate Name or Location
T1070.004: Indicator Removal: File Deletion
T1070.008: Indicator Removal: Clear Mailbox Data
T1140: Deobfuscate/Decode Files or Information
T1480.001: Execution Guardrails: Environmental Keying
T1620: Reflective Code Loading
Discovery:
T1007: System Service Discovery
T1016: System Network Configuration Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1518.001: Software Discovery: Security Software Discovery
Collection:
T1005: Data from Local System
T1074.001: Data Staged: Local Data Staging
T1113: Screen Capture
T1114.001: Email Collection: Local Email Collection
T1560.002: Archive Collected Data: Archive via Library
Command and Control:
T1001.002: Data Obfuscation: Steganography
T1001.003: Data Obfuscation: Protocol Impersonation
T1071.001: Application Layer Protocol: Web Protocols
T1071.003: Application Layer Protocol: Mail Protocols
T1090.001: Proxy: Internal Proxy
T1095: Non-Application Layer Protocol
T1132.001: Data Encoding: Standard Encoding
T1573.001: Encrypted Channel: Symmetric Cryptography
T1573.002: Encrypted Channel: Asymmetric Cryptography
Exfiltration:
T1020: Automated Exfiltration
T1030: Data Transfer Size Limits
T1041: Exfiltration Over C2 Channel
