ESET research has uncovered LightNeuron, a Microsoft Exchange backdoor that can read, modify or block any email going through the mail server, and even compose new emails and send them under the identity of any legitimate user of the attackers’ choice. The malware is remotely controlled via emails using steganographic PDF and JPG attachments.
“We believe that IT security professionals should be made aware of this new threat,” comments Matthieu Faou, the ESET malware researcher who conducted the research. LightNeuron has been targeting Microsoft Exchange mail servers since at least 2014. ESET researchers have identified three different victim organizations, among them a ministry of foreign affairs in an Eastern European country and a regional diplomatic organization in the Middle East.
ESET researchers have collected evidence suggesting, with a high level of confidence, that LightNeuron belongs to the arsenal of the infamous espionage group Turla, also known as Snake. This group and its activities are extensively covered by ESET research. LightNeuron is the first known malware misusing the Microsoft Exchange Transport Agent mechanism. “In the mail server architecture, LightNeuron can operate at the same level of trust as security products such as spam filters. As a result, this malware gives the attacker total control over the mail server – and thus, overall email communication,” explains Faou.
To make incoming command and control (C&C) emails look innocent, LightNeuron uses steganography to hide its commands inside valid PDF documents or JPG images. The ability to control the email communication makes LightNeuron a perfect tool for stealthy exfiltration of documents, and also for controlling other local machines via a C&C mechanism that is very hard to detect and block.
“Due to security improvements in operating systems, kernel rootkits, the holy grail of espionage malware, often quickly fade away from the attackers’ arsenal. However, the attackers’ need persists for tools that can live in the target system, hunt for valuable documents and siphon them off, all without generating any suspicion. LightNeuron emerged as Turla’s solution,” concludes Faou.
ESET researchers warn that cleaning LightNeuron from a network is no easy task: simply removing the malicious files does not work, as it would break the email server. “We encourage administrators to read the research paper in full before implementing a cleaning mechanism,” advises Faou. The detailed analysis, including the full list of Indicators of Compromise and samples, can be found in the research paper Turla LightNeuron: One Email Away from Remote Code Execution and on GitHub.