Lunarmail

Threat Actor Profile Updated 12 days ago
Download STIX
Preview STIX
LunarMail, identified as a threat actor by ESET Research, has been implicated in the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. This cyber threat employs two previously unknown backdoors, LunarWeb and LunarMail, to infiltrate and exploit systems. LunarWeb is primarily deployed on servers, using HTTP(S) for its command and control (C&C) communications, effectively mimicking legitimate requests. LunarMail, on the other hand, is installed on workstations, persisting as an Outlook add-in and utilizing email messages for its C&C communications. The attacker also incorporated a secondary backdoor, LunarMail, which uses a distinct method for C&C communications. These backdoors not only infiltrate systems but also exfiltrate data over the C&C channel. Both LunarWeb and LunarMail automatically transmit collected data to the C&C server. To maintain secrecy, they limit the size of email attachments containing exfiltrated data and encrypt their C&C communications using AES-256. Additionally, the AES key used in these communications is further encrypted with RSA-4096. LunarMail receives commands hidden in PNG images and sends out data concealed within PNG images or PDF documents. Moreover, both backdoors employ a statically linked zlib library for compressing the collected data. The threat actor LunarMail exhibits a range of capabilities, including spearphishing attacks that involve a Word document installing a LunarMail backdoor via a malicious macro. LunarMail collects recipients of sent email messages and can gather email addresses of Outlook profiles, providing a vast pool of potential targets for future attacks. It also has the ability to capture screenshots, further enhancing its data collection capabilities. The discovery of these sophisticated techniques underscores the growing complexity and stealth of such cyber threats, necessitating robust and proactive cybersecurity measures.
What's your take? (Question 1 of 3)
62ecd754-e9cd-4e26-a1d7-f32349f07086 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Turla
2
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Outlook
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LunarwebUnspecified
3
LunarWeb is a threat actor discovered by ESET Research, responsible for the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad. LunarWeb, along with another backdoor named LunarMail, were deployed on servers and workstations respectively, using sophisticate
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Lunarmail Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
12 days ago
To the Moon and back(doors): Lunar landing in diplomatic missions
Securityaffairs
11 days ago
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs
Checkpoint
8 days ago
20th May – Threat Intelligence Report - Check Point Research