Researchers have uncovered what they say is the very first malware to achieve persistence in Microsoft Exchange email servers, which allows attackers to secretly execute commands via malicious emails featuring attachments with hidden code.
Dubbed LightNeuron, the furtive backdoor has been targeting Exchange servers since at least 2014, according to a blog post from ESET, whose researchers have provisionally linked the threat to the Russian cyber espionage group Turla. ESET discovered the backdoor on three victims: an unidentified Brazilian organization, a Ministry of Foreign Affairs in Eastern Europe and a regional diplomatic organization in the Middle East.
In addition to the confirmed Windows-based version, ESET believes there may be a Linux variant in use as well, based on artifacts turned up during its investigation.
The key to LightNeuron’s persistence technique is its ability to leverage “transport agents,” which according to Microsoft are tools that let users install custom software on Exchange servers and then process email messages that pass through the transport pipeline. These Transport Agents are granted the same level of trust as spam filters and other security products, ESET explains, which makes a successful infection all the more dangerous and hard to detect.
Using XML-based rules, a LightNeuron Transport Agent can interfere with a victim’s emails in a variety of ways — blocking them; composing and sending new ones; modifying their content, subjects and recipients; replacing attachments and more.
But the attackers’ can do much more than alter emails. They can also send commands via the compromised Exchange program, enabling them to write executables, launch executables and processes, delete or exfiltrate sensitive files and essentially control local machines via its command-and-control infrastructure.
To achieve this, the attackers simply send an email with a specially crafted PDF document or JPG image to any email address belonging to the infected organization. The commands inside these attached documents are hidden using steganography techniques.
“Once an email is recognized as a command email, the command is executed and the email is blocked directly on the Exchange server. Thus, it is very stealthy and the original recipient will not be able to view it,” states the blog post, authored by ESET researcher Matthieu Faou. Faou also penned an accompanying white paper that further details the threat.