The investigation points a strong finger at Turla, a Russian hacking group suspected of having links to their government. Infected networks contained the Turla malware on the same network, featured similar filenames, and reused Powershell scripts and email addresses. Three victims were discovered, including a ministry of foreign affairs and a regional diplomatic organization. The organizations were located in Brazil, Eastern Europe, and the Middle East.
The First of Its Kind
ESET believes this is the first malware that targets Exchange specifically and the only to use a mail transfer agent. It integrates with the working flow of Exchange, acting as a transport agent to retain persistence while having the ability to block emails, modify them, send, and execute commands. The command handler is different from the others that perform modifications on the emails. It is actually a backdoor controlled by emails. The commands are hidden in PDF or JPG attachments using steganography. “The attackers just have to send an email containing a specially crafted PDF document or JPG image to any email address of the compromised organization,” explained ESET. “It allows full control over the Exchange server by using the commands shown in Table 2.” From there, hackers can write an executable, delete or exfiltrate files, execute processes and command lines, or disable the backdoor for a set amount of time. It’s also difficult to remove without breaking Microsoft Exchange. “Over the past years, we have published numerous blogposts and white papers detailing the activities of the Turla group, including man-in-the-middle attacks against adobe.com or sophisticated userland malware,” said ESET. “However, for now it seems that LightNeuron has taken up the mantle of the most advanced known malware in Turla’s arsenal.”
