A Russian cyber-espionage group has developed and has been using one of the most complex backdoors ever spotted on an email server, according to new research published by cyber-security firm ESET.
The backdoor, named LightNeuron, was specifically designed for Microsoft Exchange email servers and works as a mail transfer agent (MTA) --an approach that no other backdoor has ever taken.
"To our knowledge, this is the first malware specifically targeting Microsoft Exchange," ESET Malware Researcher Matthieu Faou told ZDNet via email. ESET says that LightNeuron has been used for almost five years, since 2014, which again shows the tool's advanced capabilities, being able to avoid detection for so many years.
"Some other APTs use traditional backdoors to monitor mail servers' activity. However, LightNeuron is the first one to be directly integrated into the working flow of Microsoft Exchange," Faou told ZDNet.
Because of the deep level the backdoor works, LightNeuron allows hackers to have full control over everything that passes through an infected email server, having the ability to intercept, redirect, or edit the content of incoming or outgoing emails.
CLEVER WAY OF CONTROLLING LIGHTNEURON
According to researchers, the thing that made LightNeuron stand out, besides being the first backdoor for Microsoft Exchange servers, was its command-and-control mechanism.
Once a Microsoft Exchange server is infected and modified with the LightNeuron backdoor, hackers never connect to it directly. Instead, they send emails with PDF or JPG attachments.
Using the technique of steganography, Turla hackers hide commands inside PDF and JPG images, which the backdoor reads and then executes.
Per ESET, LightNeuron is capable of reading and modifying any email going through the Exchange server, composing and sending new emails, and blocking a user from receiving certain emails.
Furthermore, victim organizations will have a hard time detecting any interactions between Turla operators and their backdoor, mainly because the commands are hidden inside PDF/JPG code and the incoming emails could be disguised as banal spam.
Because LightNeuron works at the deepest levels of a Microsoft Exchange server, removing this backdoor is quite problematic. ESET released a white paper today with detailed removal instructions. Full story at ZDNet: