Related Families: LunarMail, LunarLoader, LunarWeb
Verticals Targeted: Government
Executive Summary
Venomous Bear was observed targeting a European Ministry of Foreign Affairs using a new toolset, dubbed the Lunar toolset.
Key Takeaways
- Venomous Bear was observed targeting a European Ministry of Foreign Affairs using a new toolset, dubbed the Lunar toolset.
- The toolset includes LunarLoader, LunarWeb, and LunarMail.
- LunarWeb backdoor is deployed on servers and uses HTTPs for C2 communications.
- LunarMail backdoor is deployed on workstations and uses email for C2 communications.
- Both backdoors use LunarLoader.
The Campaign
Venomous Bear was observed targeting a European ministry of foreign affairs and its diplomatic missions in the Middle East using a new toolset, dubbed the Lunar toolset. The toolset, which has likely been in use since at least 2020, includes two backdoors, LunarWeb and LunarMail, and a loader dubbed LunarLoader. ESET reported on this activity.
Initial Attack Vector
While the initial attack vector is uncertain, spearphishing and abuse of misconfigured Zabbix software are suspected.
LunarLoader
ESET discovered LunarWeb after detecting a loader decrypting and running a payload from an external file on a previously unknown server. The discovery of LunarWeb also led researchers to discover LunarMail. Both backdoors use the same loader, dubbed LunarLoader. LunarLoader has been observed as both a standalone loader and as part of trojanized software. LunarLoader uses three different persistence methods, which include use of a group policy extension, replacing a legitimate Windows DLL, and an Outlook add-in.
LunarWeb
LunarWeb is deployed only on servers and uses HTTPs for C2 communication. It mimics legitimate requests. LunarWeb collects a variety of information about the victim machine, including the operating system version and serial number, BIOS version and serial number, and domain name. It also gathers additional information via shell commands, including the output of systeminfo.exe, environment variables, network adapters, a list of running processes, a list of services, and a list of installed security products. It then sends the information to the C2. LunarWeb can also receive commands from the C2. These include file and process operations, running shell and PowerShell commands, and running Lua code. Both LunarWeb and LunarMail backdoors use steganography to hide commands in images in order to evade detection.
LunarMail
LunarMail is deployed only on workstations. It uses an Outlook add-in for persistence and uses email for C2 communications. It shares similarities with LunarWeb, despite using a different method to communicate with the C2. LunarMail collects environment variables and the email addresses of all email recipients. Running inside Outlook, it uses email to receive commands and exfiltrate data. LunarMail’s capabilities include writing files, creating new processes, and screenshotting and modifying the C2 email address. It also supports Lua scripts, but unlike LunarWeb, it does not have the ability to run shell or PowerShell commands.
Who is Venomous Bear?
Venomous Bear, also known as Snake, Turla, Oroburos, Waterbug, Krypton, Hippo Team, Iron Hunter, and Blue Python, is a Russia nexus threat actor group known to target Eastern Bloc nations, as well as other targets worldwide. The group has been active since at least 2004 and may have been active as early as the 1990s. Industry researchers assess Venomous Bear is affiliated with the FSB.
Venomous Bear is believed to be responsible for a 2008 attack on US Central Command. Venomous Bear was also previously observed targeting defense and cybersecurity entities in the Baltic region using malicious documents. In the midst of the ongoing Russia-Ukraine conflict, Venomous Bear used malicious Android apps to target entities in Ukraine.
IOCs
PolySwarm has a sample associated with this campaign.
d2fad779289732d1edf932b62278eb3090eb814d624f2e0a4fbbc613495c55e8
You can use the following CLI command to search for all Venomous Bear samples in our portal:
$ polyswarm link list -t VenomousBear
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.