Monday, May 19, 2025
HomeMalwareTurla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying...

Turla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying on Emails

Published on

SIEM as a Service

Follow Us on Google News

Turla cyberespionage groups developed an advanced piece of Malware named as LightNeuron that specifically target the Microsoft exchange server and spying on sensitive emails.

Turla, also known as Snake is one of the most potent APT hacker’s group and the This APT group well-known for using sophisticated customized tools to attack high profile targets.

Tular is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.

- Advertisement - Google News

They LightNeuron malware developed with advanced futures with two essential facts that are spying on emails and acting as a full-feature backdoor in Microsoft exchange server.

Turla APT was carrying an extensive arsenal of various hacking tools that can bypass all the major platform including Windows, macOS, and Linux.

Attack on Microsoft Exchange Servers

The initial stage of LighNeuron malware infection on Microsoft Exchange servers starts by leveraging a Microsoft Exchange Transport Agent.

Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can have been created by Microsoft, third-party vendors, or directly within an organization.

LighNeuron using two main components, a Transport Agent that registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) containing most of the malicious code.

Researchers believe that this is the first time hackers abusing the Transport agent for malicious purpose. In this case, Macious Transport agent is responsible for establishing the communication between Microsoft Exchange with the main malicious DLL.

Once the Microsoft Exchange server successfully compromised, then it received emails containing commands for the backdoor.

Hackers issue commands to the backdoor via emails and uses steganography to store data in PDF and JPG attachments to ensure that the command is hidden.

LightNeuron malware can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.)

According to the ESET report, During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server.

Once LightNeuron Malware takes the complete control of the exchange server, it can able spy on all emails going through the compromised mail server, and it can modify or block any email going through the compromised mail server.

Also, the backdoor can block emails, modify their body, recipient, and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

The Complete list of Indicators of Compromise (IoCs) and malware samples are provided by ESET on GitHub page.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Microsoft Exchange Server Zero-day Flaw Exploit Provide Highest Admin Privilege to Hackers

Microsoft Releases Security Advisory for Privilege Escalation Vulnerability With Exchange Server

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...

Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...

Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious...