S1142 LunarMail
LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.1
| Item | Value |
|---|---|
| ID | S1142 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 June 2024 |
| Last Modified | 16 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.003 | Mail Protocols | LunarMail can communicates with C2 using email messages via the Outlook Messaging API (MAPI).1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | LunarMail has been installed using a VBA macro.1 |
| enterprise | T1543 | Create or Modify System Process | LunarMail can create an arbitrary process with a specified command line and redirect its output to a staging directory.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | LunarMail can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | LunarMail can create a directory in %TEMP%\ to stage data prior to exfilration.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | LunarMail can decrypt strings to retrieve configuration settings.1 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | LunarMail can capture the recipients of sent email messages from compromised accounts.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration.1 |
| enterprise | T1083 | File and Directory Discovery | LunarMail can search its staging directory for output files it has produced.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | LunarMail can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.1 |
| enterprise | T1070.008 | Clear Mailbox Data | LunarMail can set the PR_DELETE_AFTER_SUBMIT flag to delete messages sent for data exfiltration.1 |
| enterprise | T1095 | Non-Application Layer Protocol | LunarMail can ping a specific C2 URL with the ID of a victim machine in the subdomain.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.1 |
| enterprise | T1137 | Office Application Startup | - |
| enterprise | T1137.006 | Add-ins | LunarMail has the ability to use Outlook add-ins for persistence.1 |
| enterprise | T1113 | Screen Capture | LunarMail can capture screenshots from compromised hosts.1 |
| enterprise | T1082 | System Information Discovery | LunarMail can capture environmental variables on compromised hosts.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | LunarMail has been installed through a malicious macro in a Microsoft Word document.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 1 |