Lunarmail

Threat Actor Profile Updated 2 months ago

Download STIX

Preview STIX

LunarMail, identified as a threat actor by ESET Research, has been implicated in the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. This cyber threat employs two previously unknown backdoors, LunarWeb and LunarMail, to infiltrate and exploit systems. LunarWeb is primarily deployed on servers, using HTTP(S) for its command and control (C&C) communications, effectively mimicking legitimate requests. LunarMail, on the other hand, is installed on workstations, persisting as an Outlook add-in and utilizing email messages for its C&C communications. The attacker also incorporated a secondary backdoor, LunarMail, which uses a distinct method for C&C communications. These backdoors not only infiltrate systems but also exfiltrate data over the C&C channel. Both LunarWeb and LunarMail automatically transmit collected data to the C&C server. To maintain secrecy, they limit the size of email attachments containing exfiltrated data and encrypt their C&C communications using AES-256. Additionally, the AES key used in these communications is further encrypted with RSA-4096. LunarMail receives commands hidden in PNG images and sends out data concealed within PNG images or PDF documents. Moreover, both backdoors employ a statically linked zlib library for compressing the collected data. The threat actor LunarMail exhibits a range of capabilities, including spearphishing attacks that involve a Word document installing a LunarMail backdoor via a malicious macro. LunarMail collects recipients of sent email messages and can gather email addresses of Outlook profiles, providing a vast pool of potential targets for future attacks. It also has the ability to capture screenshots, further enhancing its data collection capabilities. The discovery of these sophisticated techniques underscores the growing complexity and stealth of such cyber threats, necessitating robust and proactive cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Turla	2	Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Outlook

Spearphishing

Loader

Payload

Encryption

Windows

Malware

Encrypt

Eset

Phishing

Apt

Exploit

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Reflective Loader	Unspecified	1	A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operat
ZLib	Unspecified	1	Zlib is a known malware, a harmful program designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can cause significant damage, including stealing personal information, disrupting opera
LightNeuron	Unspecified	1	LightNeuron is a sophisticated malware developed by the Turla group, known for its complex and custom cyber threats. It shares operational similarities with LunarMail, another Turla backdoor, in that it uses email messages for command and control (C&C) purposes. The malware infects systems through s

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lunarweb	Unspecified	3	LunarWeb is a threat actor discovered by ESET Research, responsible for the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad. LunarWeb, along with another backdoor named LunarMail, were deployed on servers and workstations respectively, using sophisticate

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Lunarmail Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Checkpoint	2 months ago	20th May – Threat Intelligence Report - Check Point Research
Securityaffairs	2 months ago	Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs
ESET	2 months ago	To the Moon and back(doors): Lunar landing in diplomatic missions