ESET Whitepaper - Turla LightNeuron

One email away from remote code execution

ESET research has uncovered LightNeuron, a Microsoft Exchange backdoor that can read, modify or block any email going through the mail server, and even compose new emails and send them under the identity of any legitimate user of the attackers’ choice. The malware is remotely controlled via emails using steganographic PDF and JPG attachments.

LightNeuron has been targeting Microsoft Exchange mail servers since at least 2014. ESET researchers have identified three different victim organizations, among them a ministry of foreign affairs in an Eastern European country and a regional diplomatic organization in the Middle East.

ESET researchers have collected evidence suggesting, with a high level of confidence, that LightNeuron belongs to the arsenal of the infamous espionage group Turla, also known as Snake. This group and its activities are extensively covered by ESET research.

To make incoming command and control (C&C) emails look innocent, LightNeuron uses steganography to hide its commands inside valid PDF documents or JPG images.

The ability to control the email communication makes LightNeuron a perfect tool for stealthy exfiltration of documents, and also for controlling other local machines via a C&C mechanism that is very hard to detect and block.

ESET researchers warn that cleaning LightNeuron from a network is no easy task: simply removing the malicious files does not work, as it would break the email server.

The detailed analysis, including the full list of Indicators of Compromise and samples, can be found in this research paper.

To read it, please enter your details in the form.

Request Your Whitepaper