LunarMail
LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | 创建或修改系统进程 |
LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory.[1] |
|
| Enterprise | T1137 | .006 | 办公应用启动: Add-ins |
LunarMail has the ability to use Outlook add-ins for persistence.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
LunarMail can decrypt strings to retrieve configuration settings.[1] |
|
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic | |
| Enterprise | T1113 | 屏幕捕获 |
LunarMail can capture screenshots from compromised hosts.[1] |
|
| Enterprise | T1071 | .003 | 应用层协议: Mail Protocols |
LunarMail can communicates with C2 using email messages via the Outlook Messaging API (MAPI).[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
LunarMail can create a directory in |
| Enterprise | T1001 | .002 | 数据混淆: Steganography |
LunarMail can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.[1] |
| Enterprise | T1083 | 文件和目录发现 |
LunarMail can search its staging directory for output files it has produced.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
LunarMail has been installed through a malicious macro in a Microsoft Word document.[1] |
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
LunarMail can capture the recipients of sent email messages from compromised accounts.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
LunarMail can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.[1] |
| .008 | 移除指标: Clear Mailbox Data |
LunarMail can set the |
||
| Enterprise | T1082 | 系统信息发现 |
LunarMail can capture environmental variables on compromised hosts.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
LunarMail can ping a specific C2 URL with the ID of a victim machine in the subdomain.[1] |
|