Lunarmail

Threat Actor updated a month ago (2024-10-15T10:03:24.112Z)

Download STIX

Preview STIX

LunarMail, a novel backdoor linked to the Russia-associated Turla APT, has been discovered by ESET researchers as part of a cyber-espionage campaign targeting European government agencies. First observed in 2020, this sophisticated threat actor leverages two custom backdoors, LunarWeb and LunarMail, that employ advanced techniques like steganography and Lua scripting. LunarWeb is typically deployed on servers and uses HTTP(S) for command and control (C&C) communications, mimicking legitimate requests to evade detection. LunarMail, on the other hand, is deployed on workstations with Microsoft Outlook and uses email messages for its C&C communications, exploiting the Outlook Messaging API (MAPI) to avoid detection in environments where HTTPS traffic is monitored. The LunarMail backdoor is persisted as an Outlook add-in and is capable of creating processes, taking screenshots, writing files, and executing Lua scripts. Although it does not have separate commands for running shell or PowerShell commands, the ability to execute Lua scripts enables it to indirectly run these commands. The campaign also involved spear-phishing attacks, including a weaponized Word document used to install the LunarMail backdoor, thereby increasing the reach and effectiveness of the attack. Both LunarWeb and LunarMail exfiltrate data over their respective C&C channels, posing a significant threat to the security of sensitive information. The association of these tools with the Turla APT, a group known for its links to Russian state interests, underscores the geopolitical implications of this campaign. This discovery highlights the need for robust cybersecurity measures, particularly for entities dealing with sensitive data, to counter such sophisticated threats.

Description last updated: 2024-10-15T09:21:20.156Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Turla is a possible alias for Lunarmail. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Outlook

Backdoor

PowerShell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lunarweb Threat Actor is associated with Lunarmail. LunarWeb is a sophisticated threat actor identified by ESET researchers, linked to Russian state interests. The group was first observed in 2020 and has been associated with two previously unknown backdoors, LunarWeb and LunarMail, which were utilized to breach the European Ministry of Foreign Affai	Unspecified	3

Source Document References

Information about the Lunarmail Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	6 months ago	20th May – Threat Intelligence Report - Check Point Research
Securityaffairs	6 months ago	Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs
ESET	6 months ago	To the Moon and back(doors): Lunar landing in diplomatic missions