Researchers discover highly stealthy Microsoft Exchange backdoor

An extremely stealthy Microsoft Exchange backdoor can read, modify or block emails going through the compromised mail server and even compose and send new emails.

Microsoft Exchange backdoor

LightNeuron – as the backdoor has been dubbed by ESET researchers – is remotely controlled via emails using steganographic PDF and JPG attachments and is believed to have been used by the Turla cyber espionage group.

About LightNeuron

The LightNeuron backdoor is the first known instance of a backdoor employing a malicious Microsoft Exchange Transport Agent as a persistence mechanism.

“Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can be created by Microsoft, third-party vendors, or directly within an organization,” the researchers explained.

“The typical events handled by a Transport Agent occur when the mail server sends or receives an email. Before the event is actually executed, the Transport Agents are called and have the possibility to modify or block the email.”

They are usually used for legitimate purposes, but as we can see in this instance they can also be used for malicious ones.

Aside from the Transport Agent, which is dropped in the Exchange folder located in the Program Files folder and registered in the mail server’s configuration, the backdoor also uses a DLL file containing most of the malicious functions needed by the Transport Agent.

As mentioned before, the backdoor can block emails, modify their body, recipient and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

It can create email and attachment logs, encrypt emails and store then, and parse JPG/PDF attachments and decrypt and execute the commands found in them.

LightNeuron can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.) and perform automatic file exfiltration at a particular time of the day and night.

Microsoft Exchange backdoor

During their investigation, the researchers also noticed alongside LightNeuron the presence of tools like Remote Administration Software, RPC- based malware or .NET web shells targeting Outlook Web Access. By leveraging them, the attackers are able to control other machines on the local network using emails sent to the Exchange server.

Finally, judging by some strings decrypted from the malware samples, they believe its likely that a Linux variant of the malware exists and is used.

“That would not be surprising, given that many organizations have Linux mail servers,” they noted.

About Turla

Turla (aka Snake, aka Uroburos) is believed to be a Russian-speaking group of attackers that is likely state-sponsored. They’ve been active for more than a decade.

Their usual targets are government entities, diplomatic entities, military organizations and defense contractors, regional political organizations and research and education organizations around the world.

Even though LightNeuron dates back to at least 2014, it was discovered and analyzed by security researchers only now because of the previously unseen persistence mechanism, because it is hard to detect at the network level (no standard HTTP(S) communications), and because Turla deploys it only against its most important targets.

“This malware is not highly prevalent in the wild so it was able to stay under the radar for a long period of time,” ESET malware researcher Matthieu Faou told Help Net Security.

“We found LightNeuron while investigating machines already infected with known Turla malware. That’s how we were able to make the link between LightNeuron and Turla.”

The researchers pinpointed two targets hit with the backdoor: a Ministry of Foreign affairs in an Eastern European country and a regional diplomatic organization in the Middle East.

Removing the malware

ESET researchers have released IoCs for companies to check whether they’ve been with the malware, but warned against removing the two malicious files as the first order of business, as this will break Microsoft Exchange and prevent everybody in the organization from sending and receiving emails.

Administrators must first disable the malicious Transport Agents and then move to remove the two malicious files.

“If you do not plan to re-install the mail server, an important last step is to modify the passwords of all accounts that have administrative rights on the compromised server. Otherwise, attackers could access the server again to compromise it again,” they advised.

Related:

  • No Related Posts

Security requirement prototyping with hyperledger composer for drug supply chain

ACM DL404 Error – File Not Found

… but the URL you have requested was not found.

To find what your are looking for please browse or search the ACM Digital Library.

We apologize for this inconvenience.

Please contact us with any questions or concerns regarding this matter:[email protected]

The ACM Digital Library is published by the Association for Computing Machinery. Copyright 2010 ACM, Inc.

Terms of UsagePrivacy PolicyCode of EthicsContact Us

Related:

  • No Related Posts

Cisco Email Security Appliance File Type Filtering Vulnerability

A vulnerability in the email message filtering feature of Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an ESA to fail to detect and act upon a specific type of file that is attached to an email message.

The vulnerability is due to improper application of message filtering rules to email attachments that contain a specific type of file and are submitted to an affected appliance. An attacker could exploit this vulnerability by sending an email message with a crafted attachment to an affected appliance. A successful exploit could allow the attacker to cause the ESA to fail to detect and act upon possible malware in the email attachment.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160727-esa

Security Impact Rating: Medium

CVE: CVE-2016-1461

Related:

  • No Related Posts

Micro Focus Retain 4.8 is now released!

qmangus

We’re pleased to announce that Retain 4.8 is now available! Our latest release features these enhancements: Additional Android file types can now be viewed If a sender/recipient is not recognized as an internal user for both PIN & SMS messages, a mock email address is used when forwarding (e.g. Phone_numberRetain@test.com) MySQL 8.0 is now supported …

+read more

The post Micro Focus Retain 4.8 is now released! appeared first on Cool Solutions. qmangus

Related:

  • No Related Posts

Retain 4.8 is now released!

qmangus

We’re pleased to announce that Retain 4.8 is now available! Our latest release features these enhancements: Additional Android file types can now be viewed If a sender/recipient is not recognized as an internal user for both PIN & SMS messages, a mock email address is used when forwarding (e.g. Phone_numberRetain@test.com) MySQL 8.0 is now supported …

+read more

The post Retain 4.8 is now released! appeared first on Cool Solutions. qmangus

Related:

  • No Related Posts

GroupWise Resource Archive – March 2019

Advansys

The March 2019 release of the free GroupWise Resource Archive, which provides easy research of the NGW Digest email discussions between GroupWise administrators, partners, and consultants, is now available. Use the high speed text search capabilities to discover invaluable guidance within topics ranging from GroupWise technical issues to Micro Focus/Novell business discussions. The GroupWise Resource Archive can be …

+read more

The post GroupWise Resource Archive – March 2019 appeared first on Cool Solutions. Advansys

Related:

  • No Related Posts

GroupWise Resource Archive – February 2019

Advansys

The February 2019 release of the free GroupWise Resource Archive, which provides easy research of the NGW Digest email discussions between GroupWise administrators, partners, and consultants, is now available. Use the high speed text search capabilities to discover invaluable guidance within topics ranging from GroupWise technical issues to Micro Focus/Novell business discussions. The GroupWise Resource Archive can be …

+read more

The post GroupWise Resource Archive – February 2019 appeared first on Cool Solutions. Advansys

Related:

  • No Related Posts