Credits: The Register
A recently uncovered malware infection uses the basic functions of Microsoft’s Exchange Server to remotely monitor and control computer systems.
Researchers at ESET said this week the software nasty, known as LightNeuron, is particularly difficult for admins to detect as it takes advantage of legitimate components within Exchange.
Specifically, ESET says, LightNeuron runs a combination of a poisoned DLL and a specially-crafted Transport Agent. Designed for things like spam filtering and screening attachments, Transport Agents analyze all messages going in and out of a server.
Understandably, getting a malicious Transport Agent on a server (such as via a PowerShell command) would be particularly useful for someone wanting to spy on a company, and a bad thing for admins.
“To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen,” ESET said.
“Moreover, in the few cases we studied, LightNeuron was running with SYSTEM privileges. It is typically hard to gain this level of privilege on a Microsoft Exchange server, as it is one of the most critical assets in an organization. Thus, once compromised, it is likely that it will stay undetected for months or years.”
The second half of the infection is a malicious DLL that processes and executes additional commands. The library is able to carry out orders to do things like send mail, log and transmit activity and modify messages that travel over the server.
Sending those commands requires embedding them into file attachments. In the case ESET observed, this was done by steganography- entering the commands into the hex code of a PDF or JPG file.
The attacker would put the command into the file and send it as an attachment in a message to the infected server. The message would be spotted by LightNeuron’s transport agent, which would then pass it along to the DLL, where the image information would be accessed and any commands within it executed.
Thus, the bad guys (in this case Turla, a long-running operation targeting diplomatic operations in Europe and the Middle East) are able to keep remote access and control of Exchange Servers without ever catching the eye of malware or spam filters on the infected machine.
Even if it is caught, wiping out the infection with anything short of a complete re-write of the server is a tedious process.
“The cleaning of LightNeuron is not an easy task,” ESET explained.
“Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails.”
Rather, the security bod recommends that admins instead lock down the openings used to get LightNeuron on a server in the first place. Admin accounts should be well-secured with 2FA and PowerShell command access should be strictly limited and Transport Agent installations closely monitored.