Lunarmail

LunarMail, identified as a threat actor by ESET Research, has been implicated in the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. This cyber threat employs two previously unknown backdoors, LunarWeb and LunarMail, to infiltrate and exploit systems. LunarWeb is primarily deployed on servers, using HTTP(S) for its command and control (C&C) communications, effectively mimicking legitimate requests. LunarMail, on the other hand, is installed on workstations, persisting as an Outlook add-in and utilizing email messages for its C&C communications. The attacker also incorporated a secondary backdoor, LunarMail, which uses a distinct method for C&C communications. These backdoors not only infiltrate systems but also exfiltrate data over the C&C channel. Both LunarWeb and LunarMail automatically transmit collected data to the C&C server. To maintain secrecy, they limit the size of email attachments containing exfiltrated data and encrypt their C&C communications using AES-256. Additionally, the AES key used in these communications is further encrypted with RSA-4096. LunarMail receives commands hidden in PNG images and sends out data concealed within PNG images or PDF documents. Moreover, both backdoors employ a statically linked zlib library for compressing the collected data. The threat actor LunarMail exhibits a range of capabilities, including spearphishing attacks that involve a Word document installing a LunarMail backdoor via a malicious macro. LunarMail collects recipients of sent email messages and can gather email addresses of Outlook profiles, providing a vast pool of potential targets for future attacks. It also has the ability to capture screenshots, further enhancing its data collection capabilities. The discovery of these sophisticated techniques underscores the growing complexity and stealth of such cyber threats, necessitating robust and proactive cybersecurity measures.