Security Market Segment LS
Wednesday, 08 May 2019 10:37

New backdoor targets Microsoft Exchange mail servers Featured

By
New backdoor targets Microsoft Exchange mail servers Image by Gerd Altmann from Pixabay

Researchers at Slovakian security outfit ESET say they have found a sophisticated backdoor used by the well-known group Turla, which has also been called Snake.

ESET's Matthieu Faou said in a blog post that the backdoor, which had been given the name LightNeuron, had been aimed at one target since 2014 - Microsoft Exchange mail servers.

Faou said that code artefacts in the Windows version had led to the belief that a UNIX version of LightNeuron also existed.

There were references to mail transport agents such as Sendmail and Postfix within the code which led to this belief; Sendmail and Postfix are popular mail transport agents on UNIX platforms, including Linux.

"These Unix artefacts in the Windows malware could be explained by the possible sharing of code between Windows and Unix implementations," Faou said. "Hence, the presence of these strings suggests LightNeuron exists for Linux. That would not be surprising, given that many organisations have Linux mail servers."

Three different victims had been identified - an unknown organisation in Brazil, the ministry of foreign affairs in an Eastern European country and a regional diplomatic organisation in the Middle East.

lightneuron

The LightNeuron Transport Agent. Graphic courtesy ESET

Observations that led ESET to conclude that Turla was probably behind LightNeuron were:

  • On one compromised Exchange server:
    • a PowerShell script containing malware previously attributed to Turla was dropped 44 minutes before a PowerShell script used to install LightNeuron, and both scripts were located in C:\windows\system32.
    • The script used to install LightNeuron has a filename – msinp.ps1 – that looks like typical filenames used by Turla.
  • On another compromised server, IntelliAdmin – a remote administration tool, packed with a packer used only by Turla – was dropped by LightNeuron.
  • For each LightNeuron attack, there were several other instances of Turla malware on the same network.
  • The email address used by the attackers was registered at GMX and was impersonating an employee of the targeted organisation. The same provider was used for the Outlook backdoor and for an undocumented PowerShell backdoor named PowerStallion by ESET.

ESET said LightNeuron was the first malware specifically targeting Microsoft Exchange mail servers. "It uses a persistence technique never before seen: a Transport Agent. In the mail server architecture, it operates at the same level of trust as security products such as spam filters," Faou said.

The malware was able to use the transport agent to read and modify every email passing through the server, compose and send emails, and block any email.

ESET said LightNeuron used steganography to hide its commands inside a PDF document or a JPG image.

"Over the past years, we have published numerous blog posts and white papers detailing the activities of the Turla group, including man-in-the-middle attacks against adobe.com or sophisticated userland malware," Faou said.

"However, for now it seems that LightNeuron has taken up the mantle of the most advanced known malware in Turla’s arsenal.

"By leveraging a previously unseen persistence mechanism, a Microsoft Exchange Transport Agent, LightNeuron allows its operators to stay under the radar for months or years. It allows them to exfiltrate sensitive documents and control other local machines via a C&C mechanism that is very hard to detect and block."

The company has a detailed white paper on LightNeuron here which can be downloaded free.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments