Thursday, March 28, 2024

Turla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying on Emails

Turla cyberespionage groups developed an advanced piece of Malware named as LightNeuron that specifically target the Microsoft exchange server and spying on sensitive emails.

Turla, also known as Snake is one of the most potent APT hacker’s group and the This APT group well-known for using sophisticated customized tools to attack high profile targets.

Tular is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.

They LightNeuron malware developed with advanced futures with two essential facts that are spying on emails and acting as a full-feature backdoor in Microsoft exchange server.

Turla APT was carrying an extensive arsenal of various hacking tools that can bypass all the major platform including Windows, macOS, and Linux.

Attack on Microsoft Exchange Servers

The initial stage of LighNeuron malware infection on Microsoft Exchange servers starts by leveraging a Microsoft Exchange Transport Agent.

Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can have been created by Microsoft, third-party vendors, or directly within an organization.

LighNeuron using two main components, a Transport Agent that registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) containing most of the malicious code.

Researchers believe that this is the first time hackers abusing the Transport agent for malicious purpose. In this case, Macious Transport agent is responsible for establishing the communication between Microsoft Exchange with the main malicious DLL.

Once the Microsoft Exchange server successfully compromised, then it received emails containing commands for the backdoor.

Hackers issue commands to the backdoor via emails and uses steganography to store data in PDF and JPG attachments to ensure that the command is hidden.

LightNeuron malware can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.)

According to the ESET report, During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server.

Once LightNeuron Malware takes the complete control of the exchange server, it can able spy on all emails going through the compromised mail server, and it can modify or block any email going through the compromised mail server.

Also, the backdoor can block emails, modify their body, recipient, and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

The Complete list of Indicators of Compromise (IoCs) and malware samples are provided by ESET on GitHub page.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Microsoft Exchange Server Zero-day Flaw Exploit Provide Highest Admin Privilege to Hackers

Microsoft Releases Security Advisory for Privilege Escalation Vulnerability With Exchange Server

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles