LunarWeb (Backdoor) – Malware

Overview

LunarWeb is a sophisticated malware backdoor that primarily targets Windows-based systems. It is known for its advanced capabilities in persistence, command and control (C2), and data exfiltration. The malware is typically delivered through various means, including malicious Word documents containing VBA macros, which, when executed, download and install the payload. LunarWeb’s primary function is to maintain long-term access to the compromised systems, allowing attackers to gather sensitive information and execute arbitrary commands. One of the notable features of LunarWeb is its use of reflective code loading, which enables the malware to execute without being written to disk. This technique helps evade detection by traditional antivirus solutions and makes forensic analysis more challenging. LunarWeb also employs various obfuscation methods, such as AES-256 encryption for stored files and communications, and the use of legitimate-looking filenames and locations to masquerade as benign software components. For instance, the loader may replace system DLLs, like tapiperf.dll, to ensure its execution during system startup or user login. LunarWeb’s persistence mechanisms are robust, utilizing multiple methods to ensure it remains active on infected systems. It can be loaded through a trojanized version of the AdmPwd DLL or persisted as a Group Policy extension, making it difficult to remove without thorough system cleaning. Additionally, LunarWeb employs steganography for command and control communications, embedding commands within image files such as JPG or GIFs, and using standard web protocols to communicate with its C2 servers. This not only obfuscates its activities but also helps it blend with regular network traffic, further evading detection. The malware’s ability to discover and gather information about the infected system is another critical aspect. It can retrieve system details, network configurations, running processes, and installed software, including security solutions. This reconnaissance capability allows attackers to tailor their activities to the specific environment, enhancing the effectiveness of their operations. LunarWeb also supports data exfiltration, compressing and encrypting collected data before sending it to the C2 servers, ensuring that sensitive information is securely transmitted.

Targets

European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad

How they operate

In the ever-evolving landscape of cybersecurity, new threats emerge continuously, challenging defenders to stay vigilant and proactive. Two such formidable adversaries, LunarWeb and LunarMail, have recently come under scrutiny for their sophisticated techniques and persistent infiltration strategies. These malware families are associated with the advanced persistent threat (APT) group known as Turla, renowned for their complex operations targeting a variety of sectors globally. LunarWeb and LunarMail, though distinct in their deployment and functionalities, share a common goal: to compromise and maintain persistent access to target systems. LunarWeb operates primarily as a web backdoor, enabling attackers to execute commands remotely, gather system information, and upload files from the compromised machine. Its loader components, known as LunarLoader, come in various versions such as Win64/LunarLoader.B, Win32/LunarLoader.A, and Win64/LunarLoader.C, highlighting the adaptability and wide reach of this malware. On the other hand, LunarMail targets email systems, often embedding itself as an Outlook add-in. This variant employs Visual Basic for Applications (VBA) macros to install its payload, a tactic that aligns with Turla’s penchant for leveraging legitimate tools for malicious purposes. Once installed, LunarMail can collect email data, capture screenshots, and execute commands hidden within images, showcasing its sophisticated data exfiltration methods. Its variants, Win64/LunarMail.A and Win32/LunarMail.A, reflect the malware’s flexibility across different operating environments. The tactics, techniques, and procedures (TTPs) employed by LunarWeb and LunarMail are mapped extensively within the MITRE ATT&CK framework, a globally recognized knowledge base of adversarial behaviors. These TTPs include reconnaissance activities such as gathering victim organization information (T1591), leveraging compromised infrastructure like virtual private servers (T1583.003), and sophisticated execution methods utilizing Windows Management Instrumentation (T1047) and PowerShell (T1059.001). Persistence is achieved through hijacking execution flow (T1574) and embedding malicious add-ins (T1137.006), while defense evasion is facilitated by obfuscation techniques (T1027) and dynamic API resolution (T1027.007). Discovery tactics deployed by these malware families involve system service and network configuration discovery (T1007, T1016), allowing attackers to map out the victim’s environment thoroughly. For data collection, LunarWeb and LunarMail are capable of staging local data (T1074.001), capturing screen content (T1113), and extracting email information (T1114.001). Command and control (C2) communications are maintained through obfuscated protocols and encrypted channels (T1573.001, T1573.002), ensuring stealthy and secure data exfiltration (T1041). The comprehensive analysis of LunarWeb and LunarMail underscores the complexity and resilience of modern cyber threats. Organizations must adopt a multi-layered defense strategy, incorporating advanced detection tools, regular threat intelligence updates, and robust incident response plans. Understanding the intricate workings of these malware families is a crucial step towards fortifying defenses and safeguarding sensitive data against such sophisticated adversaries. As cyber threats continue to evolve, so must the strategies and technologies employed to counter them, ensuring a secure digital landscape for all.

MITRE tactics and techniques

Reconnaissance: T1591: Gather Victim Org Information Resource Development: T1583.002: Acquire Infrastructure: DNS Server T1583.003: Acquire Infrastructure: Virtual Private Server T1584.003: Compromise Infrastructure: Virtual Private Server T1586.002: Compromise Accounts: Email Accounts T1587.001: Develop Capabilities: Malware Execution: T1047: Windows Management Instrumentation T1059: Command and Scripting Interpreter T1059.001: Command and Scripting Interpreter: PowerShell T1059.003: Command and Scripting Interpreter: Windows Command Shell T1059.005: Command and Scripting Interpreter: Visual Basic T1106: Native API T1204.002: User Execution: Malicious File Persistence: T1137.006: Office Application Startup: Add-ins T1547: Boot or Logon Autostart Execution T1574: Hijack Execution Flow Defense Evasion: T1027: Obfuscated Files or Information T1027.003: Obfuscated Files or Information: Steganography T1027.007: Obfuscated Files or Information: Dynamic API Resolution T1027.009: Obfuscated Files or Information: Embedded Payloads T1036.005: Masquerading: Match Legitimate Name or Location T1070.004: Indicator Removal: File Deletion T1070.008: Indicator Removal: Clear Mailbox Data T1140: Deobfuscate/Decode Files or Information T1480.001: Execution Guardrails: Environmental Keying T1620: Reflective Code Loading Discovery: T1007: System Service Discovery T1016: System Network Configuration Discovery T1057: Process Discovery T1082: System Information Discovery T1518.001: Software Discovery: Security Software Discovery Collection: T1005: Data from Local System T1074.001: Data Staged: Local Data Staging T1113: Screen Capture T1114.001: Email Collection: Local Email Collection T1560.002: Archive Collected Data: Archive via Library Command and Control: T1001.002: Data Obfuscation: Steganography T1001.003: Data Obfuscation: Protocol Impersonation T1071.001: Application Layer Protocol: Web Protocols T1071.003: Application Layer Protocol: Mail Protocols T1090.001: Proxy: Internal Proxy T1095: Non-Application Layer Protocol T1132.001: Data Encoding: Standard Encoding T1573.001: Encrypted Channel: Symmetric Cryptography T1573.002: Encrypted Channel: Asymmetric Cryptography Exfiltration: T1020: Automated Exfiltration T1030: Data Transfer Size Limits T1041: Exfiltration Over C2 Channel

References:

• To the Moon and back(doors): Lunar landing in diplomatic missions
• LunarWeb and LunarMail Backdoors Used by Turla Group to Target Diplomatic Missions – Active IOCs
• Turla APT Hackers Target EU Foreign Affairs With ‘LunarMail’ Backdoor