LunarWeb
LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
LunarWeb can use WMI queries for discovery on the victim host.[1] |
|
| Enterprise | T1090 | 代理 |
LunarWeb has the ability to use a HTTP proxy server for C&C communications.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| .002 | 加密通道: Asymmetric Cryptography |
LunarWeb can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.[1] |
||
| Enterprise | T1572 | 协议隧道 |
LunarWeb can run a custom binary protocol under HTTPS for C2.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
LunarWeb can decrypt strings related to communication configuration using RC4 with a static key.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
LunarWeb has the ability to run shell commands via PowerShell.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
LunarWeb can run shell commands using a BAT file with a name matching |
||
| Enterprise | T1104 | 多阶段信道 |
LunarWeb can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
LunarWeb can use |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
LunarWeb can create a ZIP archive with specified files and directories.[1] |
| .002 | 归档收集数据: Archive via Library | |||
| Enterprise | T1030 | 数据传输大小限制 |
LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.[1] |
|
| Enterprise | T1001 | .002 | 数据混淆: Steganography |
LunarWeb can receive C2 commands hidden in the structure of .jpg and .gif images.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
LunarWeb can use Base64 encoding to obfuscate C2 commands.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1069 | .001 | 权限组发现: Local Groups | |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
The LunarWeb install files have been encrypted with AES-256.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
LunarWeb can self-delete from a compromised host if safety checks of C2 connectivity fail.[1] |
| Enterprise | T1082 | 系统信息发现 |
LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
LunarWeb can collect user information from the targeted host.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
LunarWeb can use shell commands to discover network adapters and configuration.[1] |
|
| Enterprise | T1615 | 组策略发现 |
LunarWeb can capture information on group policy settings[1] |
|
| Enterprise | T1135 | 网络共享发现 |
LunarWeb can identify shared resources in compromised environments.[1] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
LunarWeb can pause for a number of hours before entering its C2 communication loop.[1] |
| Enterprise | T1518 | 软件发现 |
LunarWeb can list installed software on compromised systems.[1] |
|
| .001 | Security Software Discovery |
LunarWeb has run shell commands to obtain a list of installed security products.[1] |
||
| Enterprise | T1057 | 进程发现 |
LunarWeb has used shell commands to list running processes.[1] |
|
| Enterprise | T1559 | 进程间通信 |
LunarWeb can retrieve output from arbitrary processes and shell commands via a pipe.[1] |
|