ESET's Matthieu Faou said in a blog post that the backdoor, which had been given the name LightNeuron, had been aimed at one target since 2014 - Microsoft Exchange mail servers.
Faou said that code artefacts in the Windows version had led to the belief that a UNIX version of LightNeuron also existed.
There were references to mail transport agents such as Sendmail and Postfix within the code which led to this belief; Sendmail and Postfix are popular mail transport agents on UNIX platforms, including Linux.
Three different victims had been identified - an unknown organisation in Brazil, the ministry of foreign affairs in an Eastern European country and a regional diplomatic organisation in the Middle East.
The LightNeuron Transport Agent. Graphic courtesy ESET
Observations that led ESET to conclude that Turla was probably behind LightNeuron were:
- On one compromised Exchange server:
- a PowerShell script containing malware previously attributed to Turla was dropped 44 minutes before a PowerShell script used to install LightNeuron, and both scripts were located in C:\windows\system32.
- The script used to install LightNeuron has a filename – msinp.ps1 – that looks like typical filenames used by Turla.
- On another compromised server, IntelliAdmin – a remote administration tool, packed with a packer used only by Turla – was dropped by LightNeuron.
- For each LightNeuron attack, there were several other instances of Turla malware on the same network.
- The email address used by the attackers was registered at GMX and was impersonating an employee of the targeted organisation. The same provider was used for the Outlook backdoor and for an undocumented PowerShell backdoor named PowerStallion by ESET.
ESET said LightNeuron was the first malware specifically targeting Microsoft Exchange mail servers. "It uses a persistence technique never before seen: a Transport Agent. In the mail server architecture, it operates at the same level of trust as security products such as spam filters," Faou said.
The malware was able to use the transport agent to read and modify every email passing through the server, compose and send emails, and block any email.
ESET said LightNeuron used steganography to hide its commands inside a PDF document or a JPG image.
"Over the past years, we have published numerous blog posts and white papers detailing the activities of the Turla group, including man-in-the-middle attacks against adobe.com or sophisticated userland malware," Faou said.
"However, for now it seems that LightNeuron has taken up the mantle of the most advanced known malware in Turla’s arsenal.
"By leveraging a previously unseen persistence mechanism, a Microsoft Exchange Transport Agent, LightNeuron allows its operators to stay under the radar for months or years. It allows them to exfiltrate sensitive documents and control other local machines via a C&C mechanism that is very hard to detect and block."
The company has a detailed white paper on LightNeuron here which can be downloaded free.