View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 7, 2019updated 08 Jul 2022 7:06am

ESET Identifies Unique Malware that Generates Microsoft Exchange Backdoor

"Simply removing the malicious files will break Microsoft Exchange"

By CBR Staff Writer

ESET says it has identified a sophisticated bit of malware dubbed LightNeuron that creates a backdoor in Microsoft Exchange mail servers by working as a mail transfer agent (MTA), letting the user spy on and manipulate emails going through the compromised server – and worse.

The malware, hard to detect at the network level, is the first that has been identified using a Microsoft Exchange transport agent, ESET said. (Transport agents let you install custom software on an Exchange server).

“To our knowledge, this is the first time a malicious actor has leveraged a Microsoft Exchange Transport Agent to enable persistence on a mail server” the company said, saying the sophisticated tool appears to have been in use since 2014.

“This technique is very interesting as it allows them to receive commands and exfiltrate data without any filtering” Slovakia-based added, warning that getting rid of the malware requires a careful clean of the affected system.

(Details on how to do so, Indicators of Compromise and detailed analysis of it works are available in a whitepaper it published today).

“Simply removing the [two malicious] files will break Microsoft Exchange… Note to other AV vendors: before adding a detection for the Transport Agent files, be aware that doing so without a proper cleaning routine will render your infected customer’s exchange servers inoperable, so proceed with caution.”

ESET has already identified three different victim organisations, including diplomatic entities in the Middle East and Eastern Europe, with a possible victim in Brazil, and believes that LightNeuron is the work of the group Turla, also known as Snake.

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

In the cases it studies, LightNeuron was running with full SYSTEM privileges, it added, showing the extent of the compromise.

Read this: ESET Agrees to Furnish Google’s Chronicle with Threat Data

The malware comprises two main components: a transport agent, registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) developed in C  that contains most of the malicious code. This exports three functions:

  • FL (aka ForLoading): return 777
  • BLE (aka BinaryLogEx): Log input data in a log file
  • SV (aka SimpleValidate): Process an email

“During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server. This strategy allows avoiding typical, noisy methods such as an HTTP-based C&C protocol or connection via RDP from outside the compromised network,” ESET added.

“Due to security improvements in operating systems, kernel rootkits, the holy grail of espionage malware, often quickly fade away from the attackers’ arsenal. However, the attackers’ need persists for tools that can live in the target system, hunt for valuable documents and siphon them off, all without generating any suspicion. LightNeuron emerged as Turla’s solution,” concludes Faou.

The company urged the use dedicated accounts for the administration of Exchange servers with strong, unique passwords and, if possible, 2FA, saying admins should closely monitor the usage of such accounts, restrict PowerShell execution and regularly  check that all the installed Transport Agents are signed by a trusted provider.

John Durant, CTO of security firm, Kaseya told Computer Business Review: “This vulnerability requires administrative privileges in order to modify files and configurations, all activities that are detectable—if you know what you are looking for and are diligently monitoring your servers and email content.”

“For small businesses, many of whom use Microsoft Exchange, these types of attacks require skills, tools, and staff that are hard to manage on their own. Tapping into the IT expertise of managed service providers (MSPs) allows them to put up a better defense and respond or recover more quickly if problems arise.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.