S1143 LunarLoader
LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla since at least 2020 including against a European ministry of foreign affairs (MFA). LunarLoader has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.1
| Item | Value |
|---|---|
| ID | S1143 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 27 June 2024 |
| Last Modified | 27 June 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1140 | Deobfuscate/Decode Files or Information | LunarLoader can deobfuscate files containing the next stages in the infection chain.1 |
| enterprise | T1480 | Execution Guardrails | LunarLoader can use the DNS domain name of a compromised host to create a decryption key to ensure a malicious payload can only execute against the intended targets.1 |
| enterprise | T1137 | Office Application Startup | - |
| enterprise | T1137.006 | Add-ins | LunarLoader has the ability to use Microsoft Outlook add-ins to establish persistence. 1 |
| enterprise | T1620 | Reflective Code Loading | LunarLoader can use reflective loading to decrypt and run malicious executables in a new thread.1 |
| enterprise | T1016 | System Network Configuration Discovery | LunarLoader can verify the targeted host’s DNS name which is then used in the creation of a decyrption key.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 1 |