LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)

LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.(Citation: ESET Turla Lunar toolset May 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	LunarMail - S1142 (a5789a26-2b7b-4b2d-a25f-31182468d4bb)	Malware	1
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	2