LightNeuron acquires the absolute control of email

ESET researchers have discovered LightNeuron, one of Microsoft Exchange that can read, modify or block any email passing through the mail server. LightNeuron can also compose new e-mail messages and send them using the identity of any legitimate user chosen by the attacker. The malware is controlled remotely via email messages using steganographic PDF and JPG attachments.

"We believe that IT security professionals should be aware of this new threat," said ESET researcher Matthieu Faou, who led the study.

LightNeuron has been attacking Microsoft Exchange mail servers since at least 2014. ESET investigators have identified three different backdoor victims, including a foreign ministry in an Eastern European country and a regional diplomatic mission in the Middle East. .

ESET researchers have collected evidence that demonstrates, with sufficient certainty, that LightNeuron belongs to the arsenal of the famous of cyber espionage Turla, also known as Snake. This group and its activities have been extensively investigated by ESET.

LightNeuron is the first known malware to abuse Microsoft Exchange Transport Agent. "In the mail server architecture, LightNeuron can operate at the same level of trust as security products, such as junk mail filters. "As a result, this malware gives the attacker complete control of the mail server - and therefore all e-mail communications," explains Faou.

lightneuron

To make the incoming C&C messages (command and ), LightNeuron uses seal to hide its commands in regular PDF documents or JPG images.

The ability of LightNeuron to control email communication makes it a perfect tool for secretly exporting documents, as well as for controlling other local machines through a C&C mechanism, which is very difficult to detect and block.

“Due to security improvements in operating systems, attackers have stopped using kernel-level rootkits – the 'grail' of spyware malware. However, they insist on developing tools that can live on the system they target, search for valuable documents and remove them without raising any suspicion. From this one the Turla team's LightNeuron emerged," Faou concludes.

ESET researchers warn that removing LightNeuron from a network is not easy: simply removing the malicious files will not work, as it will shut down the email server.

"We urge IT managers to read the entire research paper before proceeding with the cleanup," Faou advises.

The detailed , as well as the full list of IoC indicators, can be found in the study: “LightNeuron Turla: One Email Away from Remote Code Execution and on GitHub».

_________________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).