Persistent MS Exchange malware believed to be the most advanced in Turla's arsenal

News by Bradley Barth

LightNeuron malware first to achieve persistence in Microsoft Exchange email servers allows attackers to secretly execute commands via malicious emails featuring attachments with hidden code.

Researchers have uncovered what they say is the very first malware to achieve persistence in Microsoft Exchange email servers, which allows attackers to secretly execute commands via malicious emails featuring attachments with hidden code.

Dubbed LightNeuron, the furtive backdoor has been targeting Exchange servers since at least 2014, according to a blog post from ESET, whose researchers have provisionally linked the threat to the Russian cyber-espionage group Turla. ESET discovered the backdoor on three victims: an unidentified Brazilian organisation, a Ministry of Foreign Affairs in Eastern Europe and a regional diplomatic organization in the Middle East.

In addition to the confirmed Windows-based version, ESET believes there may be a Linux variant in use as well, based on artifacts turned up during its investigation.

The key to LightNeuron’s persistence technique is its ability to leverage "transport agents," which according to Microsoft are tools that let users install custom software on Exchange servers and then process email messages that pass through the transport pipeline. These Transport Agents are granted the same level of trust as spam filters and other security products, ESET explains, which makes a successful infection all the more dangerous and hard to detect.

Using XML-based rules, a LightNeuron Transport Agent can interfere with a victim’s emails in a variety of ways — blocking them; composing and sending new ones; modifying their content, subjects and recipients; replacing attachments and more.

But the attackers’ can do much more than alter emails. They can also send commands via the compromised Exchange program, enabling them to write executables, launch executables and processes, delete or exfiltrate sensitive files and essentially control local machines via its command-and-control infrastructure.

To achieve this, the attackers simply send an email with a specially crafted PDF document or JPG image to any email address belonging to the infected organisation. The commands inside these attached documents are hidden using steganography techniques.

"Once an email is recognised as a command email, the command is executed and the email is blocked directly on the Exchange server. Thus, it is very stealthy and the original recipient will not be able to view it," states the blog post, authored by ESET researcher Matthieu Faou. Faou also penned an accompanying white paper that further details the threat.

Even when organisations are fortunate enough to detect LightNeuron in their systems, they will soon learn that remediating the situation is no easy feat either. "Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organisation from sending and receiving emails," writes Faou. "Before actually removing the files, the malicious Transport Agent should be disabled."

ESET assesses with "medium confidence" that Turla is behind LightNeuron, basing its conclusions on a series of artifacts that researchers observed during their investigation work, including malware, a script file name, and a packer and an abused email service all previously associated with past Turla activity. Moreover, the LightNeuron operators’ busiest hours of activity typically take place during the typical 9-to-5 workday hours of European Russia.

If LightNeuron is, in fact, a Turla creation, then it is "the most advanced known malware in Turla’s arsenal," ESET notes.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike