Wednesday, October 16, 2024
HomeMalwareTurla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying...

Turla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying on Emails

Published on

Malware protection

Turla cyberespionage groups developed an advanced piece of Malware named as LightNeuron that specifically target the Microsoft exchange server and spying on sensitive emails.

Turla, also known as Snake is one of the most potent APT hacker’s group and the This APT group well-known for using sophisticated customized tools to attack high profile targets.

Tular is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.

- Advertisement - SIEM as a Service

They LightNeuron malware developed with advanced futures with two essential facts that are spying on emails and acting as a full-feature backdoor in Microsoft exchange server.

Turla APT was carrying an extensive arsenal of various hacking tools that can bypass all the major platform including Windows, macOS, and Linux.

Attack on Microsoft Exchange Servers

The initial stage of LighNeuron malware infection on Microsoft Exchange servers starts by leveraging a Microsoft Exchange Transport Agent.

Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can have been created by Microsoft, third-party vendors, or directly within an organization.

LighNeuron using two main components, a Transport Agent that registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) containing most of the malicious code.

Researchers believe that this is the first time hackers abusing the Transport agent for malicious purpose. In this case, Macious Transport agent is responsible for establishing the communication between Microsoft Exchange with the main malicious DLL.

Once the Microsoft Exchange server successfully compromised, then it received emails containing commands for the backdoor.

Hackers issue commands to the backdoor via emails and uses steganography to store data in PDF and JPG attachments to ensure that the command is hidden.

LightNeuron malware can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.)

According to the ESET report, During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server.

Once LightNeuron Malware takes the complete control of the exchange server, it can able spy on all emails going through the compromised mail server, and it can modify or block any email going through the compromised mail server.

Also, the backdoor can block emails, modify their body, recipient, and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

The Complete list of Indicators of Compromise (IoCs) and malware samples are provided by ESET on GitHub page.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Microsoft Exchange Server Zero-day Flaw Exploit Provide Highest Admin Privilege to Hackers

Microsoft Releases Security Advisory for Privilege Escalation Vulnerability With Exchange Server

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...