The Russia-linked threat group Turla (aka Waterbug, KRYPTON, Venomous Bear or Snake) has been using a complex backdoor to hijack Microsoft Exchange mail servers. The malware, dubbed LightNeuron, abuses a legitimate feature of the Exchange server in order to hide out and access all of the target organization's messages.

According to the researchers at ESET, LightNeuron is what they say the very first malware specifically targeting Microsoft Exchange email servers. It uses previously unseen persistence technique: Microsoft Exchange Transport Agent. It allows Turla group to exfiltrate sensitive documents and control other local machines via a C&C mechanism that is very hard to detect and block.

Transport agents are designed to allow users to install custom software on Exchange server. The tool operates at the same level of trust as security products such as spam filters.

Using the backdoor the attackers can read and modify any email going through the mail server, compose and send new emails, and also block any email preventing the original recipient from receiving the message.

The researchers say that Turla has been using LightNeuron since at least 2014. ESET has identified three organizations targeted with the backdoor: a Ministry of Foreign Affairs in an Eastern European country, a regional diplomatic organization in the Middle East, and an entity in Brazil. The researchers noticed the victim in Brazil based on a sample uploaded to VirusTotal, but they weren’t able to determine the nature of the victim organization. ESET has analized a Windows version of the malware, however, based on the evidence they found they suspect that a Linux version exists as well.

LightNeuron uses steganography to hide its commands inside a PDF document or a JPG image. To hijack the Exchange server the attackers only need to send an email with a specially crafted PDF document or JPG image to any email address of the compromised organization. The backdoor supports multiple commands that allow the threat actor to gain control of the target server, such as writing and executing files, deleting files, exfiltrating files, executing processes and commands, and disabling the backdoor for a specified number of minutes. Once the malware recognizes an email as a command email, the command is executed and the email is blocked directly on the Exchange server so the original recipient will not be able to view it.

If an organization falls victim to the attack, removing LightNeuron won’t be an easy task as “simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails”, explain the researchers. They recommend to disable malicious transport agent before removing files.

A full list of Indicators of Compromise (IoCs) and samples are available in the white paper and on the GitHub.