LightNeuron, a backdoor specifically designed to target Microsoft Exchange mail servers, has flown under the radar since at least 2014, despite being the malware linchpin at the center of several targeted campaigns.
A fresh analysis of the recently uncovered code shows that it’s the first publicly known malware to use a malicious Microsoft Exchange Transport Agent – but the extraordinarily clever way that LightNeuron conceals itself is the most notable aspect of the report.
LightNeuron (likely designed by the Turla APT group) was spotted by ESET researchers in recent campaigns against diplomatic organizations in Eastern Europe (October 2018) and the Middle East (a regional diplomatic office in 2017). The firm’s analysis shows that LightNeuron can spy on, modify or block all emails going through a compromised mail server; and can execute commands sent by email while acting as a full-featured backdoor for remote code-execution.
“LightNeuron is a very powerful piece of malware,” according to a report this week from ESET. “It can spy on all the emails of the compromised organization but also execute commands, for example, to control other machines on the local network. This makes it a main hub in the breached network for Turla operators.”
Even so, no one picked up on its presence, thanks to techniques like hiding commands in specially crafted PDF or JPG email attachments using steganography; this makes its communications hard to detect at the network level, because it does not use standard HTTP(S), researchers said.
Kaspersky Lab first mentioned LightNeuron last July in its Q2 2018 APT report, though details were scant.
“One of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron,” Kaspersky Lab researchers said at the time. “This new artifact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims.”
They added that they believed Turla had been using the technique as early as 2014, and that victims of the implant at the time were mainly in the Middle East and Central Asia.
Crucially, according to Kaspersky Lab, LightNeuron’s use may not be restricted to Microsoft Exchange: “there is a version affecting Unix servers running Postfix and Sendmail,” researchers said.
A Malware Built for Stealth
According to ESET, a compromise in 2018 of an Eastern European Ministry of Foreign Affairs is in line with typical Turla activity – their strikes tend to be highly targeted and relatively rare, if effective. As such, using a suite of malware that’s built to fly under the radar screen is fairly routine. LightNeuron however brings something extra to the mix in that regard, researchers said.
“While rootkits and bootkits have an unmatched stealthiness in the malware domain, LightNeuron is uncommonly stealthy for ‘regular’ malware,” ESET researchers said. “To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen.”
Further, in the campaigns that ESET studied, LightNeuron was running with system privileges.
“It is typically hard to gain this level of privilege on a Microsoft Exchange server, as it is one of the most critical assets in an organization,” according to ESET. “Thus, once compromised, it is likely that it will stay undetected for months or years.”
Meanwhile, it communicates with the C2 over email, using steganography (the practice of encoding information in images) to store data in PDF and JPG attachments – this makes it virtually “undetectable,” according to the report.
And, “given that in the Microsoft Exchange architecture the malware is installed at the same level as anti-spam and other email security solutions, it allows the malware to bypass them easily,” the researchers explained.
All of this is why LightNeuron has managed to evade researcher attention for at least four years, despite being seen in campaigns stretching back to 2014.
Malicious Transport Agents
Aside from its stealth, the another notable aspect about LightNeuron is its use of malicious transport agents in order to subvert Microsoft Exchange functions to its own purposes.
Transport agents are used to process and modify all email messages going through a mail server, and they allow Exchange to be extensible. The agents can be created by Microsoft, third-party vendors or by a user organization.
“They have many legitimate purposes, such as filtering spam, filtering malicious emails/attachments and adding a corporate signature at the end of every email,” ESET researchers explained. “The typical events handled by a transport agent occur when the mail server sends or receives an email. Before the event is actually executed, the transport agents are called and have the possibility to modify or block the email.”
LightNeuron injects malicious transport agents into this flow. To do so, attackers would drop a transport agent executable in the Exchange folder located in the Program Files folder (something that requires prior network access and administrative privileges).
“Then, they execute the script to register the DLL as a transport agent,” ESET said. “This second step is required before the malware starts receiving events from Exchange.”
From there, LightNeuron essentially becomes a man-in-the-middle agent, able to intercept, modify and create Exchange emails and events; and, it can fetch and execute additional malware for further network infiltration, which makes the attacks that much more damaging.
That has been the case in all observed compromises so far. For instance, in the latest attack, the infestation allowed attackers to control other machines on the local network using emails sent to the Exchange server.
“During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network,” the researchers said. “These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access.”
Here too, the operators took pains to be stealthy. “This strategy allows avoiding typical, noisy methods such as an HTTP-based C2 protocol or connection via RDP from outside the compromised network,” according to ESET.
To help minimize any damage in the event of a successful compromise, ESET advises that enterprises should use dedicated accounts for the administration of Exchange servers with strong, unique passwords and, if possible, 2FA; monitor closely the usage of these accounts; and restrict PowerShell execution. They should also regularly check that all the installed transport agents are signed by a trusted provider.
Russian-speaking Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros) is an APT best-known for deploying a complex rootkit called Snake, traditionally focused on NATO-related targets. It’s known for spy campaigns targeting Western European governments as well as embassies and consulates in post-Soviet states. However, it was also fingered for a breach of the U.S. Department of Defense in 2008 and has been seen striking in the Middle East and Asia.
According to previous research from Kaspersky Lab, it’s been active since at least 2014 (and possibly earlier), developing a range of custom backdoors to carry out its work. It also continually evolves both in terms of malware and targets.
“Turla is highly capable, well-resourced and they go back for years,” explained Kurt Baumgartner, a researcher with Kaspersky Lab’s threat research team, speaking at Virus Bulletin last fall. “Turla is so large, and they have many, many different things going on at once. And if you look at other research, it’s also clearly bigger than just our visibility into it.”
Kaspersky Lab last summer attributed LightNeuron to Turla with “medium confidence.” In further analysis, ESET researchers said that several aspects back up this conclusion.
For instance, for each LightNeuron attack, the analysts found several other instances of other Turla malware on the same network.
“To perform [their] operations, Turla’s operators own a large arsenal of malware including a rootkit, several complex backdoors (with a notable one for Microsoft Outlook), and a large range of tools to pivot on a network,” according to ESET.
On one compromised Exchange server, a PowerShell script containing malware previously attributed to Turla was dropped 44 minutes before a PowerShell script used to install LightNeuron, with both scripts located in C:\windows\system32. Similarly, on another compromised server, a sample of the IntelliAdmin Remote Administration Tool, packed with a packer used only by Turla, was dropped by LightNeuron.
Further, the script used to install LightNeuron has a filename msinp.ps1, “that looks like typical filenames used by Turla,” ESET noted.
“LightNeuron is another example that Turla operators have a large set of sophisticated, custom malware at their disposal,” concluded ESET researchers. “To our knowledge, this is the first time a malicious actor has leveraged a Microsoft Exchange Transport Agent to enable persistence on a mail server. This technique is very interesting as it allows them to receive commands and exfiltrate data without any filtering.”