Turla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying on Emails

Turla cyberespionage groups developed an advanced piece of Malware named as LightNeuron that specifically target the Microsoft exchange server and spying on sensitive emails.

Turla, also known as Snake is one of the most potent APT hacker’s group and the This APT group well-known for using sophisticated customized tools to attack high profile targets.

Tular is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.

They LightNeuron malware developed with advanced futures with two essential facts that are spying on emails and acting as a full-feature backdoor in Microsoft exchange server.

Turla APT was carrying an extensive arsenal of various hacking tools that can bypass all the major platform including Windows, macOS, and Linux.

Attack on Microsoft Exchange Servers

The initial stage of LighNeuron malware infection on Microsoft Exchange servers starts by leveraging a Microsoft Exchange Transport Agent.

Microsoft Exchange allows extending its functionalities using Transport Agents that can process and modify all email messages going through the mail server. Transport Agents can have been created by Microsoft, third-party vendors, or directly within an organization.

LighNeuron using two main components, a Transport Agent that registered in the Microsoft Exchange configuration, and a companion 64-bit Dynamic Link Library (DLL) containing most of the malicious code.

Researchers believe that this is the first time hackers abusing the Transport agent for malicious purpose. In this case, Macious Transport agent is responsible for establishing the communication between Microsoft Exchange with the main malicious DLL.

Once the Microsoft Exchange server successfully compromised, then it received emails containing commands for the backdoor.

Hackers issue commands to the backdoor via emails and uses steganography to store data in PDF and JPG attachments to ensure that the command is hidden.

LightNeuron malware can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.)

According to the ESET report, During the course of our investigation, we noticed alongside LightNeuron the presence of several tools used to control other machines on the local network. These tools include Remote Administration Software, RPCbased malware or .NET web shells targeting Outlook Web Access. By leveraging them, attackers are able to control other machines on the local network using emails sent to the Exchange server.

Once LightNeuron Malware takes the complete control of the exchange server, it can able spy on all emails going through the compromised mail server, and it can modify or block any email going through the compromised mail server.

Also, the backdoor can block emails, modify their body, recipient, and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

The Complete list of Indicators of Compromise (IoCs) and malware samples are provided by ESET on GitHub page.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Microsoft Exchange Server Zero-day Flaw Exploit Provide Highest Admin Privilege to Hackers

Microsoft Releases Security Advisory for Privilege Escalation Vulnerability With Exchange Server

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

12 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

15 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

19 hours ago