What is the threat?
A security researchers group discovered a Backdoor called LightNeuron on May 7th, 2019. This backdoor specifically targets Microsoft Exchange Servers and is one of the first malware to obtain complete control over all the emails that pass through the compromised exchange server. It uses PowerShell script to install the malware, once the server is compromised malicious actors can read or modify any email passing through the server, compose and send new emails from the victims’ account as well block any email from getting delivered to its destination. The malware can conduct all of these functions because it uses a malicious Transport Agent which “operates at the same level of trust as security products such as spam filters”. Since the malware can obtain a high level of trust, it can bypass all the spam filters which would have possibly blocked the email.
Why is this noteworthy?
LightNeuron is used by an infamous group of Russian hackers called Trula. Trula has been known to be targeting email servers using this backdoor since 2014. Trula’s primary focus is on high profile targets such as governments and diplomatic entities. LightNeuron can go undetected for an extended period since it uses command and control; the commands are hidden in PDF or JPG attachments. If the backdoor recognizes the email as a command email, the command is executed, and the email is blocked directly on the exchange server obtaining complete control of the email for malicious purposes. The malicious actors never directly connect to the server, instead they send emails with these commands to maintain control over the server for an extended period of time, which can be months or years.
What is the exposure or risk?
LightNeuron uses steganography, which is a practice of concealing files using binary numbers. The hackers hide the commands in the attached PDF or JPG files. The commands can be located anywhere in the document, and the malware operators add a header at the beginning of the attached document which states exactly where the command is hidden. These commands once located are interpreted by the backdoor and finally executed. This practice makes it extremely difficult to detect an attack attempt by LightNeuron. Once the server is infected and compromised, it is very complex to remove it. Merely removing the malicious emails will break the Microsoft exchange server which will prevent everybody on the network from sending and receiving emails. Before actually removing the email, the malicious Transport Agent should be disabled and then the infected files should be deleted.
What are the recommendations?
SKOUT recommendations can help prevent your Microsoft Exchange Server from being compromised or detect it as soon as the server is infected. We recommend that you use dedicated accounts for the administration of Exchange servers with robust and unique passwords. Also, monitor the usage of these official accounts closely, restrict PowerShell script execution which will prevent LightNeuron from getting installed and regularly check that all current Transport Agents are signed by a trusted source.
References:
For more analysis of this backdoor and indicators of compromise, please visit the following link:
- https://www.zdnet.com/article/russian-cyberspies-are-using-one-hell-of-a-clever-microsoft-exchange-backdoor/
- https://www.bleepingcomputer.com/news/security/turla-backdoor-deployed-in-attacks-against-worldwide-targets/
- https://github.com/eset/malware-ioc/tree/master/turla#lightneuron-indicators-of-compromise
- https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/
If you have any questions, please contact our Security Operations Center.
