Russian cyberspies are using one hell of a clever Microsoft Exchange backdoor

Turla APT found exploiting LightNeuron backdoor, a first of its kind targeting Microsoft Exchange email servers.
Written by Catalin Cimpanu, Contributor
Microsoft Exchange

A Russian cyber-espionage group has developed and has been using one of the most complex backdoors ever spotted on an email server, according to new research published today by cyber-security firm ESET.

The backdoor, named LightNeuron, was specifically designed for Microsoft Exchange email servers and works as a mail transfer agent (MTA) --an approach that no other backdoor has ever taken.

"To our knowledge, this is the first malware specifically targeting Microsoft Exchange," ESET Malware Researcher Matthieu Faou told ZDNet via email.

"Turla targeted email servers in the past using a malware called Neuron (a.k.a DarkNeuron) but it was not specifically designed to interact with Microsoft Exchange.

"Some other APTs use traditional backdoors to monitor mail servers' activity. However, LightNeuron is the first one to be directly integrated into the working flow of Microsoft Exchange," Faou told us.

Because of the deep level the backdoor works, LightNeuron allows hackers to have full control over everything that passes through an infected email server, having the ability to intercept, redirect, or edit the content of incoming or outgoing emails.

LightNeuron developed by Turla group

This makes LightNeuron one of the most powerful tools of its kind, and a tool fit to be in the arsenal of Turla, one of the world's most advanced nation-state hacking units.

The Turla APT (advanced persistent threat) is infamous for past operations that seem to be pulled out of Hollywood movies. The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears' Instagram photos, and has hijacked the infrastructure of entire ISPs to redirect users to malware.

In a report released today, ESET says that Turla has been using LightNeuron for almost five years, since 2014, which again shows the tool's advanced capabilities, being able to avoid detection for so many years.

To be fair, the first mention of LightNeuron was in a Kaspersky Lab report on the APT Trends of Q2 2018. However, Kaspersky only described the tool in brief. The ESET report released today shines more light on the tool's unique capabilities that make it stand out from all other backdoors deployed on email servers up until now.

Researchers warn that LightNeuron is currently being used in live attacks and that Turla also appears to have created a UNIX port --which ESET hasn't been able to find until now.

The Slovak cyber-security firms said it detected three victim organizations infected with Turla's LightNeuron backdoor. The company did not name the victims, but provided general descriptions:

- Unknown organization in Brazil
- Ministry of Foreign Affairs in Eastern Europe
- Regional diplomatic organization in the Middle East

A clever way of controlling LightNeuron

According to researchers, the thing that made LightNeuron stand out, besides being the first backdoor for Microsoft Exchange servers, was its command-and-control mechanism.

Once a Microsoft Exchange server is infected and modified with the LightNeuron backdoor, hackers never connect to it directly. Instead, they send emails with PDF or JPG attachments.

Using the technique of steganography, Turla hackers hide commands inside PDF and JPG images, which the backdoor reads and then executes.

Per ESET, LightNeuron is capable of reading and modifying any email going through the Exchange server, composing and sending new emails, and blocking a user from receiving certain emails.

Furthermore, victim organizations will have a hard time detecting any interactions between Turla operators and their backdoor, mainly because the commands are hidden inside PDF/JPG code and the incoming emails could be disguised as banal spam.

In addition, if anyone had any doubts LightNeuron was the work of Russian hackers, ESET researchers said that in the cases they investigated they found that Turla operators only sent commands to backdoored servers during a typical 9-to-5 workday in the UTC+3 (Moscow) timezone, and took a break from all operations between December 28, 2018, and January 14, the typical Christmas and New Year holidays for Eastern Orthodox Christians --Russia's main religion.

LightNeuron working hours
Image: ESET

Because LightNeuron works at the deepest levels of a Microsoft Exchange server, removing this backdoor is quite problematic.

ESET released a white paper today with detailed removal instructions.

Photos: Retro computer games that Eastern Europe played as Iron Curtain fell

Related malware and cybercrime coverage:

Editorial standards