Hide Navigation Hide TOC

LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)

LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.(Citation: ESET Turla Lunar toolset May 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	1
LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	2