A long-running cyberespionage group has reportedly developed a sophisticated Microsoft Exchange server backdoor that can intercept, redirect, and modify emails as well as send messages on behalf of the compromised victims. Cybersecurity firm ESET released a detailed analysis on the backdoor, which has been dubbed LightNeuron (Trend Micro detects it as TROJAN.MSIL.TURLA.A).
This is the first ever reported malicious use of a mail Transport Agent, software for legitimate purposes that can be created by Microsoft or third-parties. Many of them are for security and used to filter spam, malicious attachments and more. Because of their intended use, these Transport Agents have access and a certain level of control over the emails handled by the server.
According to the ESET report, LightNeuron has two main components: a Transport Agent, registered in the Microsoft Exchange configuration, and a DLL with most of the malicious code. Administrative privileges are required to drop the required files onto the Microsoft Exchange server before execution. Once successfully executed, the hackers that installed the backdoor can issue orders using JPG or PDF attachments with commands embedded via steganography (a known trick). This is a particularly sophisticated way of issuing commands stealthily because they are hidden in attachments that can be easily disguised as normal or even spam mail. If the backdoor works, a victim will be unaware that it's receiving commands from disguised mail, and possibly executing malicious actions like blocking emails.
Alongside LightNeuron, the security researchers also noticed tools like remote administration software and malware used to target Outlook Web Access. The tools could be used to control other machines on the local network through emails sent to the compromised server.
There is no silver bullet for a sophisticated threat like LightNeuron, and defending against this backdoor requires effective and layered security. To prevent compromise and strengthen the security of email servers, IT admins should use strong and unique passwords for administrative Exchange server accounts and check that all Transport Agents come from trusted parties.
Enterprises will also benefit from multilayered security solutions that protect against the risks brought about by this malware.
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs. Trend Micro™ Deep Security™ stops malware from reaching enterprise servers — whether physical, virtual, or in the cloud.
Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.