Turla APT Uses LightNeuron Backdoor to Subdue Microsoft Exchange Servers

Delaware, USA – May 10, 2019 – Turla APT installs LightNeuron backdoor on MS Exchange servers at least from 2014. The uncovered malware acts as a mail transfer agent allowing adversaries to completely control traffic on the infected server including email interception, as well as sending, forwarding, blocking and editing correspondence. The ESET research confirms that it is one of the most powerful specialized tools in the hands of the APT group. LightNeuron has been used in at least three operations against organizations in Brazil, in the Middle East and in Europe. One of the key features of the backdoor is the mechanism for receiving instructions from the command-and-control infrastructure: attackers use steganography to hide commands in JPG and PDF files that are attached to spammy emails. Such emails are often blocked by spam filters and do not attract the attention of the recipient or the security team, while LightNeuron receives the necessary instructions.

Microsoft Exchange servers are an attractive target for APT groups and in the arsenal of many groups there is malware to attack them, but this is the first backdoor that is fully integrated into the workflow and works at the deepest levels of a Microsoft Exchange server. Turla APT has been operating since 2008 and is one of the most advanced threat actors. LightNeuron is not their first tool to use crafted emails to communicate with C&C infrastructure. Last year, researchers discovered Outlook backdoor that abuses Messaging Application Programming Interface to totally control the victim’s inboxes. You can learn more about the other tactics and techniques used by this group, as well as the means to detect them, in the Threat Detection Marketplace in Mitre ATT&CK section: https://tdm.socprime.com/att-ck/