ESET researchers have discovered LightNeuron, one backdoor cuts of Microsoft Exchange that can read, modify or block any email passing through the mail server. LightNeuron can also compose new e-mail messages and send them using the identity of any legitimate user chosen by the attacker. The malware is controlled remotely via email messages using steganographic PDF and JPG attachments.
"We believe that IT security professionals should be aware of this new threat," said ESET researcher Matthieu Faou, who led the study.
LightNeuron has been attacking Microsoft Exchange mail servers since at least 2014. ESET investigators have identified three different backdoor victims, including a foreign ministry in an Eastern European country and a regional diplomatic mission in the Middle East. .
ESET researchers have collected evidence that demonstrates, with sufficient certainty, that LightNeuron belongs to the arsenal of the famous teamof cyber espionage Turla, also known as Snake. This group and its activities have been extensively investigated by ESET.
LightNeuron is the first known malware to abuse Microsoft Exchange Transport Agent. "In the mail server architecture, LightNeuron can operate at the same level of trust as security products, such as junk mail filters. "As a result, this malware gives the attacker complete control of the mail server - and therefore all e-mail communications," explains Faou.
To make the incoming C&C messages (command and control), LightNeuron uses seal to hide its commands in regular PDF documents or JPG images.
The ability of LightNeuron to control email communication makes it a perfect tool for secretly exporting documents, as well as for controlling other local machines through a C&C mechanism, which is very difficult to detect and block.
“Due to security improvements in operating systems, attackers have stopped using kernel-level rootkits – the 'grail' of spyware malware. However, they insist on developing tools that can live on the system they target, search for valuable documents and remove them without raising any suspicion. From this one procedure the Turla team's LightNeuron emerged," Faou concludes.
ESET researchers warn that removing LightNeuron from a network is not easy: simply removing the malicious files will not work, as it will shut down the email server.
"We urge IT managers to read the entire research paper before proceeding with the cleanup," Faou advises.
The detailed analysis, as well as the full list of IoC indicators, can be found in the study: “LightNeuron Turla: One Email Away from Remote Code Execution and on GitHub».
_________________
- Portals from Google's new Web browsing technology
- Chrome with same-site cookies and anti-fingerprinting protection