Security Market Segment LS
Wednesday, 08 May 2019 10:37

New backdoor targets Microsoft Exchange mail servers Featured

New backdoor targets Microsoft Exchange mail servers Image by Gerd Altmann from Pixabay

Researchers at Slovakian security outfit ESET say they have found a sophisticated backdoor used by the well-known group Turla, which has also been called Snake.

ESET's Matthieu Faou said in a blog post that the backdoor, which had been given the name LightNeuron, had been aimed at one target since 2014 - Microsoft Exchange mail servers.

Faou said that code artefacts in the Windows version had led to the belief that a UNIX version of LightNeuron also existed.

There were references to mail transport agents such as Sendmail and Postfix within the code which led to this belief; Sendmail and Postfix are popular mail transport agents on UNIX platforms, including Linux.

"These Unix artefacts in the Windows malware could be explained by the possible sharing of code between Windows and Unix implementations," Faou said. "Hence, the presence of these strings suggests LightNeuron exists for Linux. That would not be surprising, given that many organisations have Linux mail servers."

Three different victims had been identified - an unknown organisation in Brazil, the ministry of foreign affairs in an Eastern European country and a regional diplomatic organisation in the Middle East.


The LightNeuron Transport Agent. Graphic courtesy ESET

Observations that led ESET to conclude that Turla was probably behind LightNeuron were:

  • On one compromised Exchange server:
    • a PowerShell script containing malware previously attributed to Turla was dropped 44 minutes before a PowerShell script used to install LightNeuron, and both scripts were located in C:\windows\system32.
    • The script used to install LightNeuron has a filename – msinp.ps1 – that looks like typical filenames used by Turla.
  • On another compromised server, IntelliAdmin – a remote administration tool, packed with a packer used only by Turla – was dropped by LightNeuron.
  • For each LightNeuron attack, there were several other instances of Turla malware on the same network.
  • The email address used by the attackers was registered at GMX and was impersonating an employee of the targeted organisation. The same provider was used for the Outlook backdoor and for an undocumented PowerShell backdoor named PowerStallion by ESET.

ESET said LightNeuron was the first malware specifically targeting Microsoft Exchange mail servers. "It uses a persistence technique never before seen: a Transport Agent. In the mail server architecture, it operates at the same level of trust as security products such as spam filters," Faou said.

The malware was able to use the transport agent to read and modify every email passing through the server, compose and send emails, and block any email.

ESET said LightNeuron used steganography to hide its commands inside a PDF document or a JPG image.

"Over the past years, we have published numerous blog posts and white papers detailing the activities of the Turla group, including man-in-the-middle attacks against or sophisticated userland malware," Faou said.

"However, for now it seems that LightNeuron has taken up the mantle of the most advanced known malware in Turla’s arsenal.

"By leveraging a previously unseen persistence mechanism, a Microsoft Exchange Transport Agent, LightNeuron allows its operators to stay under the radar for months or years. It allows them to exfiltrate sensitive documents and control other local machines via a C&C mechanism that is very hard to detect and block."

The company has a detailed white paper on LightNeuron here which can be downloaded free.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments