Turla threat actor group hijacks Microsoft Exchange mail server using sophisticated LightNeuron backdoor

• The malware is capable of modifying any email passing through the compromised mail server.
• It can be remotely controlled via steganographic PDF and JPG email attachments.

Russia-linked Turla threat group has been using an advanced backdoor to hijack Microsoft Exchange mail servers. The malware is dubbed as ‘LightNeuron’ and is capable of modifying any email passing through the compromised mail server.

What does the finding say?

In a report, ESET researchers have highlighted that LightNeuron can be remotely controlled via steganographic PDF and JPG email attachments. The Turla, also known as Snake, has been using the malware to target Microsoft Exchange mail servers since at least 2014.

Who are the victims?

During its investigation, the researchers identified three different victim organizations. One attack was carried out against an unknown organization in Brazil. On the other hand, the other two victims are a ministry of foreign affairs in Eastern Europe and a Regional Diplomatic organization in the Middle East.

What are the capabilities of LightNeuron?

Researchers claim that LightNeuron is the first malware to target Microsoft Exchange email servers. It uses a technique called ‘Transport Agent’ to gain persistence on an infected machine. By leveraging this technique, the malware is able to:

• Read and modify any email going through the mail server;
• Compose and send new emails;
• Block any email.

What workarounds are available?

Removing LightNeuron from the infected machine is not an easy task. Users infected with the malware are required to disable the malicious Transport Agent before actually removing the files.