Newly discovered malware takes complete control over e-mail

The malware’s name is LightNeuron, and it can read, modify or block any e-mail that goes through the server, and it can even write new messages and send them using the identity of any legitimate user that the criminals choose. The malware if remotely-controlled through e-mail by using attached .PDF and .JPG files.

 

LightNeuron has been targeting Microsoft Exchange e-mail servers from as far back as 2014. ESET researchers have identified three different organizations that have fallen victim to it, including an Eastern Europe foreign affair ministry and a Middle Eastern regional diplomatic organization.

 

LightNeuron is the first malware known to misuse Microsoft Exchange’s transport agent. “In the e-mail server’s architecture, LightNeuron can operate with the same level of trust as safety programs, such as SPAM filters. As a result, this malware gives attackers total control over the e-mail server and, therefore, all communication made via e-mail,” said Matthieu Faou, the ESET malware researcher in charge of the investigation.

 

The researchers gathered evidence that suggests chances are that LightNeuron belongs to the Turla spy group, also known as Snake. This group and its activities have been widely researched by ESET’s investigation team. “We believe I.T. security experts should be made aware of this threat,” said Faou.

 

In order to make the Command and Control (C&C) e-mails appear trusty, LightNeuron uses steganography to hide its commands inside safe .PDF files of .JPG images.

 

LightNeuron’s ability to control e-mail communication makes it into the perfect tool for quiet document filtration and for taking control of other local machines, through a C&C mechanism that is extremely hard to detect and block.

 

Due to the safety improvements in operative systems, attackers need to concentrate on creating tools that can live in the systems they aim for, search for valuable documents they can reroute, and do so without raising suspicion. LightNeuron is Turla’s answer to that need,” said Faou.

 

ESET researchers warned that removing LightNeuron from a network is no easy task: Simply removing the malicious files will not do the job, since it would break the e-mail server. On the subject, Faou advices: “we encourage admins to read the entire research document before trying to remove it.”

Comments are closed.