LunarLoader
LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla since at least 2020 including against a European ministry of foreign affairs (MFA). LunarLoader has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1137 | .006 | 办公应用启动: Add-ins |
LunarLoader has the ability to use Microsoft Outlook add-ins to establish persistence. [1] |
| Enterprise | T1620 | 反射性代码加载 |
LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
LunarLoader can deobfuscate files containing the next stages in the infection chain.[1] |
|
| Enterprise | T1480 | 执行保护 |
LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
LunarLoader can verify the targeted host's DNS name which is then used in the creation of a decyrption key.[1] |
|