ESET says it has identified a sophisticated bit of malware dubbed LightNeuron that creates a backdoor in Microsoft Exchange mail servers by working as a mail transfer agent (MTA), letting the user spy on and manipulate emails going through the compromised server – and worse.
The malware, hard to detect at the network level, is the first that has been identified using a Microsoft Exchange transport agent, ESET said. (Transport agents let you install custom software on an Exchange server).
“To our knowledge, this is the first time a malicious actor has leveraged a Microsoft Exchange Transport Agent to enable persistence on a mail server” the company said, saying the sophisticated tool appears to have been in use since 2014.
“This technique is very interesting as it allows them to receive commands and exfiltrate data without any filtering” Slovakia-based added, warning that getting rid of the malware requires a careful clean of the affected system.
(Details on how to do so, Indicators of Compromise and detailed analysis of it works are available in a whitepaper it published today).
“Simply removing the [two malicious] files will break Microsoft Exchange… Note to other AV vendors: before adding a detection for the Transport Agent files, be aware that doing so without a proper cleaning routine will render your infected customer’s exchange servers inoperable, so proceed with caution.”
ESET has already identified three different victim organisations, including diplomatic entities in the Middle East and Eastern Europe, with a possible victim in Brazil, and believes that LightNeuron is the work of the group Turla, also known as Snake.
In the cases it studies, LightNeuron was running with full SYSTEM privileges, it added, showing the extent of the compromise.
The malware comprises two main components: a transport agent, registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) developed in C that contains most of the malicious code. This exports three functions:
- FL (aka ForLoading): return 777
- BLE (aka BinaryLogEx): Log input data in a log file
- SV (aka SimpleValidate): Process an email
“During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server. This strategy allows avoiding typical, noisy methods such as an HTTP-based C&C protocol or connection via RDP from outside the compromised network,” ESET added.
“Due to security improvements in operating systems, kernel rootkits, the holy grail of espionage malware, often quickly fade away from the attackers’ arsenal. However, the attackers’ need persists for tools that can live in the target system, hunt for valuable documents and siphon them off, all without generating any suspicion. LightNeuron emerged as Turla’s solution,” concludes Faou.
The company urged the use dedicated accounts for the administration of Exchange servers with strong, unique passwords and, if possible, 2FA, saying admins should closely monitor the usage of such accounts, restrict PowerShell execution and regularly check that all the installed Transport Agents are signed by a trusted provider.
John Durant, CTO of security firm, Kaseya told Computer Business Review: “This vulnerability requires administrative privileges in order to modify files and configurations, all activities that are detectable—if you know what you are looking for and are diligently monitoring your servers and email content.”
“For small businesses, many of whom use Microsoft Exchange, these types of attacks require skills, tools, and staff that are hard to manage on their own. Tapping into the IT expertise of managed service providers (MSPs) allows them to put up a better defense and respond or recover more quickly if problems arise.”