8 May 2019

Turla APT uses castom backdoor to hijack Exchange Mail servers

Turla APT uses castom backdoor to hijack Exchange Mail servers

The Russia-linked threat group Turla (aka Waterbug, KRYPTON, Venomous Bear or Snake) has been using a complex backdoor to hijack Microsoft Exchange mail servers. The malware, dubbed LightNeuron, abuses a legitimate feature of the Exchange server in order to hide out and access all of the target organization's messages.

According to the researchers at ESET, LightNeuron is what they say the very first malware specifically targeting Microsoft Exchange email servers. It uses previously unseen persistence technique: Microsoft Exchange Transport Agent. It allows Turla group to exfiltrate sensitive documents and control other local machines via a C&C mechanism that is very hard to detect and block.

Transport agents are designed to allow users to install custom software on Exchange server. The tool operates at the same level of trust as security products such as spam filters.

Using the backdoor the attackers can read and modify any email going through the mail server, compose and send new emails, and also block any email preventing the original recipient from receiving the message.

The researchers say that Turla has been using LightNeuron since at least 2014. ESET has identified three organizations targeted with the backdoor: a Ministry of Foreign Affairs in an Eastern European country, a regional diplomatic organization in the Middle East, and an entity in Brazil. The researchers noticed the victim in Brazil based on a sample uploaded to VirusTotal, but they weren’t able to determine the nature of the victim organization. ESET has analized a Windows version of the malware, however, based on the evidence they found they suspect that a Linux version exists as well.

LightNeuron uses steganography to hide its commands inside a PDF document or a JPG image. To hijack the Exchange server the attackers only need to send an email with a specially crafted PDF document or JPG image to any email address of the compromised organization. The backdoor supports multiple commands that allow the threat actor to gain control of the target server, such as writing and executing files, deleting files, exfiltrating files, executing processes and commands, and disabling the backdoor for a specified number of minutes. Once the malware recognizes an email as a command email, the command is executed and the email is blocked directly on the Exchange server so the original recipient will not be able to view it.

If an organization falls victim to the attack, removing LightNeuron won’t be an easy task as “simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails”, explain the researchers. They recommend to disable malicious transport agent before removing files.

A full list of Indicators of Compromise (IoCs) and samples are available in the white paper and on the GitHub.

Back to the list

Latest Posts

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Okrum’ functionality includes only basic backdoor commands, such as downloading and uploading files, executing files and shell commands.
19 July 2019
StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity group has come up with new malware, which is now targeting users located in Turkey.
18 July 2019
“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Featured vulnerabilities
Cross-site scripting in FortiNAC webUI
Low Patched | 19 Jul, 2019
Multiple vulnerabilities in Cybozu Garoon
Medium Patched | 18 Jul, 2019
Security restrictions bypass in Drupal
High Patched | 18 Jul, 2019