8 May 2019

Turla APT uses castom backdoor to hijack Exchange Mail servers

Turla APT uses castom backdoor to hijack Exchange Mail servers

The Russia-linked threat group Turla (aka Waterbug, KRYPTON, Venomous Bear or Snake) has been using a complex backdoor to hijack Microsoft Exchange mail servers. The malware, dubbed LightNeuron, abuses a legitimate feature of the Exchange server in order to hide out and access all of the target organization's messages.

According to the researchers at ESET, LightNeuron is what they say the very first malware specifically targeting Microsoft Exchange email servers. It uses previously unseen persistence technique: Microsoft Exchange Transport Agent. It allows Turla group to exfiltrate sensitive documents and control other local machines via a C&C mechanism that is very hard to detect and block.

Transport agents are designed to allow users to install custom software on Exchange server. The tool operates at the same level of trust as security products such as spam filters.

Using the backdoor the attackers can read and modify any email going through the mail server, compose and send new emails, and also block any email preventing the original recipient from receiving the message.

The researchers say that Turla has been using LightNeuron since at least 2014. ESET has identified three organizations targeted with the backdoor: a Ministry of Foreign Affairs in an Eastern European country, a regional diplomatic organization in the Middle East, and an entity in Brazil. The researchers noticed the victim in Brazil based on a sample uploaded to VirusTotal, but they weren’t able to determine the nature of the victim organization. ESET has analized a Windows version of the malware, however, based on the evidence they found they suspect that a Linux version exists as well.

LightNeuron uses steganography to hide its commands inside a PDF document or a JPG image. To hijack the Exchange server the attackers only need to send an email with a specially crafted PDF document or JPG image to any email address of the compromised organization. The backdoor supports multiple commands that allow the threat actor to gain control of the target server, such as writing and executing files, deleting files, exfiltrating files, executing processes and commands, and disabling the backdoor for a specified number of minutes. Once the malware recognizes an email as a command email, the command is executed and the email is blocked directly on the Exchange server so the original recipient will not be able to view it.

If an organization falls victim to the attack, removing LightNeuron won’t be an easy task as “simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails”, explain the researchers. They recommend to disable malicious transport agent before removing files.

A full list of Indicators of Compromise (IoCs) and samples are available in the white paper and on the GitHub.

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019