Skip to content

S1141 LunarWeb

LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.1

Item Value
ID S1141
Associated Names
Type MALWARE
Version 1.0
Created 26 June 2024
Last Modified 16 August 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols LunarWeb can use POST to send victim identification to C2 and GET to retrieve commands.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility LunarWeb can create a ZIP archive with specified files and directories.1
enterprise T1560.002 Archive via Library LunarWeb can zlib-compress data prior to exfiltration.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell LunarWeb has the ability to run shell commands via PowerShell.1
enterprise T1059.003 Windows Command Shell LunarWeb can run shell commands using a BAT file with a name matching %TEMP%\<⁠random_9_alnum_chars>.batfile or through cmd.exe with the /c and /U option for Unicode output.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding LunarWeb can use Base64 encoding to obfuscate C2 commands.1
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography LunarWeb can receive C2 commands hidden in the structure of .jpg and .gif images.1
enterprise T1030 Data Transfer Size Limits LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.1
enterprise T1140 Deobfuscate/Decode Files or Information LunarWeb can decrypt strings related to communication configuration using RC4 with a static key.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography LunarWeb can send AES encrypted C2 commands.1
enterprise T1573.002 Asymmetric Cryptography LunarWeb can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.1
enterprise T1083 File and Directory Discovery LunarWeb has the ability to retrieve directory listings.1
enterprise T1615 Group Policy Discovery LunarWeb can capture information on group policy settings1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion LunarWeb can self-delete from a compromised host if safety checks of C2 connectivity fail.1
enterprise T1559 Inter-Process Communication LunarWeb can retrieve output from arbitrary processes and shell commands via a pipe.1
enterprise T1104 Multi-Stage Channels LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.1
enterprise T1135 Network Share Discovery LunarWeb can identify shared resources in compromised environments.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File The LunarWeb install files have been encrypted with AES-256.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups LunarWeb can discover local group memberships.1
enterprise T1057 Process Discovery LunarWeb has used shell commands to list running processes.1
enterprise T1572 Protocol Tunneling LunarWeb can run a custom binary protocol under HTTPS for C2.1
enterprise T1090 Proxy LunarWeb has the ability to use a HTTP proxy server for C&C communications.1
enterprise T1518 Software Discovery LunarWeb can list installed software on compromised systems.1
enterprise T1518.001 Security Software Discovery LunarWeb has run shell commands to obtain a list of installed security products.1
enterprise T1082 System Information Discovery LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.1
enterprise T1016 System Network Configuration Discovery LunarWeb can use shell commands to discover network adapters and configuration.1
enterprise T1049 System Network Connections Discovery LunarWeb can enumerate system network connections.1
enterprise T1033 System Owner/User Discovery LunarWeb can collect user information from the targeted host.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Checks LunarWeb can pause for a number of hours before entering its C2 communication loop.1
enterprise T1047 Windows Management Instrumentation LunarWeb can use WMI queries for discovery on the victim host.1

Groups That Use This Software

ID Name References
G0010 Turla 1

References

  1. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.