LightNeuron malware grants total control over email

By Dylan Bushell-Embling
Wednesday, 08 May, 2019

IT security software company ESET has discovered a sophisticated new malware exploiting a backdoor in Microsoft Exchange that has the ability to grant the user total control over a victim organisation’s email communication.

The LightNeuron malware can read, modify or block any email transiting through the mail server, and can compose and send new emails under the identity of legitimate users.

ESET said LightNeuron has been in active use targeting Microsoft Exchange mail servers since at least 2014 and has claimed at least three victim organisations, including the foreign department of an Eastern European country.

The company’s researchers have discovered evidence that strongly suggests LightNeuron was developed by the infamous hacking group Turla, which has been targeting foreign governments since at least 2008 and is suspected of being linked to the Russian government.

ESET malware researcher Matthieu Faou said LightNeuron is the first known malware to misuse the Microsoft Exchange Transport Agent mechanism.

“In the mail server architecture, LightNeuron can operate at the same level of trust as security products such as spam filters. As a result, this malware gives the attacker total control over the mail server, and thus, over all email communication, he said.

“Due to security improvements in operating systems, kernel rootkits, the Holy Grail of espionage malware, often quickly fade away from the attackers’ arsenal. However, the attackers’ need persists for tools that can live in the target system, hunt for valuable documents and siphon them off, all without generating any suspicion. LightNeuron emerged as Turla’s solution.”

LightNeuron uses steganography to hide its commands inside valid PDF documents or JPG images in order to disguise incoming command and control emails. This makes the command and control mechanism very hard to detect and block.

Finally, LightNeuron is difficult to remove once it infects a target, as simply deleting the malicious files would break the email server.

Image credit: ©stock.adobe.com/au/REDPIXEL

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.