From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

SUMMARY :

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence and lateral movement. They harvested credentials from multiple sources and exfiltrated data using Rclone. The intrusion lasted nearly two months with intermittent C2 connections, discovery, lateral movement, and data theft. Despite comprehensive access to critical infrastructure, no ransomware deployment was observed.

OPENCTI LABELS :

cobalt strike,javascript,brute ratel c4,latrodectus,data-exfiltration,lateral-movement,backconnect,credential-harvesting,cobalt-strike,brute-ratel


AI COMMENTARY :

1. Introduction: From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion tells the story of a sophisticated threat actor who leveraged a single malicious JavaScript file to compromise an organization’s infrastructure for almost two months. This blog article examines how the initial execution of that file sparked a prolonged intrusion, the progression through various attack stages, the tools and techniques employed, and the ultimate data theft conducted without any ransomware deployment.

2. Initial Compromise and Malware Deployment: The attack began when an unsuspecting user executed a JavaScript file tied to Lunar Spider. That script reached out to a remote server and downloaded a Brute Ratel DLL to the host. Once loaded, Brute Ratel injected the Latrodectus malware into memory. This in-memory injection allowed the threat actor to evade many traditional antivirus solutions and maintain stealth while establishing a foothold in the environment.

3. Use of Cobalt Strike and BackConnect: With Latrodectus running, the adversary deployed Cobalt Strike implants to set up reliable command and control connections. Intermittent C2 channels enabled them to send instructions, retrieve data, and stage subsequent payloads. The attacker also leveraged the BackConnect framework to proxy additional communications, further masking traffic and reducing the risk of detection by network defenders.

4. Custom .NET Backdoor and Persistence: To ensure continued access, the threat actor installed a bespoke backdoor developed in .NET. This implant achieved persistence by modifying startup routines and hiding its presence under legitimate process names. The custom backdoor delivered full remote control capabilities, providing the attacker with flexibility for credential harvesting and lateral movement across critical systems.

5. Credential Harvesting and Lateral Movement: Over the course of the intrusion, the attacker harvested credentials from local Windows stores, remote registry hives, and network authentication caches. With valid credentials in hand, they performed lateral movement to high-value servers and workstations. This phase showed a deliberate approach, avoiding noisy techniques and prioritizing stealthy replication of tools and remote execution methods.

6. Data Exfiltration and Lessons Learned: Once the adversary reached sensitive data repositories, they used Rclone to exfiltrate stolen files to cloud storage under their control. Despite comprehensive access to critical infrastructure elements, no ransomware payloads were deployed, indicating a pure data theft mission. Organizations should strengthen endpoint monitoring for in-memory threats, enforce strict network segmentation, and scrutinize anomalous credential usage to detect similar intrusion campaigns early.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion