Turla cyberespionage groups developed an advanced piece of Malware named as LightNeuron that specifically target the Microsoft exchange server and spying on sensitive emails.
Turla, also known as Snake is one of the most potent APT hacker’s group and the This APT group well-known for using sophisticated customized tools to attack high profile targets.
Tular is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.
They LightNeuron malware developed with advanced futures with two essential facts that are spying on emails and acting as a full-feature backdoor in Microsoft exchange server.
Turla APT was carrying an extensive arsenal of various hacking tools that can bypass all the major platform including Windows, macOS, and Linux.
Attack on Microsoft Exchange Servers
The initial stage of LighNeuron malware infection on Microsoft Exchange servers starts by leveraging a Microsoft Exchange Transport Agent.
Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can have been created by Microsoft, third-party vendors, or directly within an organization.
LighNeuron using two main components, a Transport Agent that registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) containing most of the malicious code.
Researchers believe that this is the first time hackers abusing the Transport agent for malicious purpose. In this case, Macious Transport agent is responsible for establishing the communication between Microsoft Exchange with the main malicious DLL.
Once the Microsoft Exchange server successfully compromised, then it received emails containing commands for the backdoor.
Hackers issue commands to the backdoor via emails and uses steganography to store data in PDF and JPG attachments to ensure that the command is hidden.
LightNeuron malware can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.)
According to the ESET report, During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server.
Once LightNeuron Malware takes the complete control of the exchange server, it can able spy on all emails going through the compromised mail server, and it can modify or block any email going through the compromised mail server.
Also, the backdoor can block emails, modify their body, recipient, and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.
The Complete list of Indicators of Compromise (IoCs) and malware samples are provided by ESET on GitHub page.