ESET has announced the discovery of a new specimen of malware targetted specifically at Microsoft Exchange Servers, and which has been used for 5 years to offer hostile governments and other Advanced Persistent Threats full control over the email of companies targeted.

Lightneuron is one of the most complex backdoors ever spotted on an e-mail server; and Russian cyber criminals are using it as an MTA for Microsoft Exchange e-mail servers.

The hackers can have full control over everything that passes through an infected e-mail server, meaning they can intercept and edit the content of incoming or outgoing e-mails.

“To our knowledge, this is the first malware specifically targeting Microsoft Exchange,” ESET Malware Researcher Matthieu Faou reported.

“Turla targeted email servers in the past using a malware called Neuron (a.k.a DarkNeuron) but it was not specifically designed to interact with Microsoft Exchange.

“Some other APTs use traditional backdoors to monitor mail servers’ activity. However, LightNeuron is the first one to be directly integrated into the working flow of Microsoft Exchange,” said Faou.

What makes LightNeuron unique is its command-and-control mechanism and use of steganography.  Turla hackers hide commands inside PDF and JPG images sent by e-mail, which the backdoor reads and perform.  This makes it considerably more difficult for victim organisations to detect.

ESET released a white paper today with detailed removal instructions, but with LightNeuron working at the deepest levels of a Microsoft Exchange server, this will prove to be very difficult.

Source: zdnet

Comments