Researchers have uncovered what they say is the very first malware to achieve persistence in Microsoft Exchange email servers, which allows attackers to secretly execute commands via malicious emails featuring attachments with hidden code.
Dubbed LightNeuron, the furtive backdoor has been targeting Exchange servers since at least 2014, according to a blog post from ESET, whose researchers have provisionally linked the threat to the Russian cyber espionage group Turla. ESET discovered the backdoor on three victims: an unidentified Brazilian organization, a Ministry of Foreign Affairs in Eastern Europe and a regional diplomatic organization in the Middle East.
In addition to the confirmed Windows-based version, ESET believes there may be a Linux variant in use as well, based on artifacts turned up during its investigation.
The key to LightNeuron’s persistence technique is its ability to leverage “transport agents,” which according to Microsoft are tools that let users install custom software on Exchange servers and then process email messages that pass through the transport pipeline. These Transport Agents are granted the same level of trust as spam filters and other security products, ESET explains, which makes a successful infection all the more dangerous and hard to detect.
Using XML-based rules, a LightNeuron Transport Agent can interfere with a victim’s emails in a variety of ways — blocking them; composing and sending new ones; modifying their content, subjects and recipients; replacing attachments and more.
But the attackers’ can do much more than alter emails. They can also send commands via the compromised Exchange program, enabling them to write executables, launch executables and processes, delete or exfiltrate sensitive files and essentially control local machines via its command-and-control infrastructure.
To achieve this, the attackers simply send an email with a specially crafted PDF document or JPG image to any email address belonging to the infected organization. The commands inside these attached documents are hidden using steganography techniques.
“Once an email is recognized as a command email, the command is executed and the email is blocked directly on the Exchange server. Thus, it is very stealthy and the original recipient will not be able to view it,” states the blog post, authored by ESET researcher Matthieu Faou. Faou also penned an accompanying white paper that further details the threat.
Even when organizations are fortunate enough to detect LightNeuron in their systems, they will soon learn that remediating the situation is no easy feat either. “Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails,” writes Faou. “Before actually removing the files, the malicious Transport Agent should be disabled.”
ESET assesses with “medium confidence” that Turla is behind LightNeuron, basing its conclusions on a series of artifacts that researchers observed during their investigation work, including malware, a script file name, and a packer and an abused email service all previously associated with past Turla activity. Moreover, the LightNeuron operators’ busiest hours of activity typically take place during the typical 9-to-5 workday hours of European Russia.
If LightNeuron is, in fact, a Turla creation, then it is “the most advanced known malware in Turla’s arsenal,” ESET notes.