Want rootkit-level access without the hassle? Enter, LightNeuron for Exchange Server

Microsoft software-targeting malware gets commands from code hidden in attachments

By Shaun Nichols in San Francisco


A recently uncovered malware infection uses the basic functions of Microsoft's Exchange Server to remotely monitor and control computer systems.

Researchers at ESET said this week the software nasty, known as LightNeuron, is particularly difficult for admins to detect as it takes advantage of legitimate components within Exchange.

Specifically, ESET says, LightNeuron runs a combination of a poisoned DLL and a specially-crafted Transport Agent. Designed for things like spam filtering and screening attachments, Transport Agents analyze all messages going in and out of a server.

Understandably, getting a malicious Transport Agent on a server (such as via a PowerShell command) would be particularly useful for someone wanting to spy on a company, and a bad thing for admins.

"To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen," ESET said.

"Moreover, in the few cases we studied, LightNeuron was running with SYSTEM privileges. It is typically hard to gain this level of privilege on a Microsoft Exchange server, as it is one of the most critical assets in an organization. Thus, once compromised, it is likely that it will stay undetected for months or years."

The second half of the infection is a malicious DLL that processes and executes additional commands. The library is able to carry out orders to do things like send mail, log and transmit activity and modify messages that travel over the server.

Sending those commands requires embedding them into file attachments. In the case ESET observed, this was done by steganography- entering the commands into the hex code of a PDF or JPG file.

Extortionist hacks IT provider used by the stars of tech leaks customer info after ransom goes unpaid


The attacker would put the command into the file and send it as an attachment in a message to the infected server. The message would be spotted by LightNeuron's transport agent, which would then pass it along to the DLL, where the image information would be accessed and any commands within it executed.

Thus, the bad guys (in this case Turla, a long-running operation targeting diplomatic operations in Europe and the Middle East) are able to keep remote access and control of Exchange Servers without ever catching the eye of malware or spam filters on the infected machine.

Even if it is caught, wiping out the infection with anything short of a complete re-write of the server is a tedious process.

"The cleaning of LightNeuron is not an easy task," ESET explained.

"Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails."

Rather, the security bod recommends that admins instead lock down the openings used to get LightNeuron on a server in the first place. Admin accounts should be well-secured with 2FA and PowerShell command access should be strictly limited and Transport Agent installations closely monitored. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Git365. Git for Teams. Quatermass and the Git Pit. GitHub simply won't do now Microsoft has it

Poll Tell us, what should the source shack be called post-Redmondisation?

There's a Snowflake in Washington: Microsoft lets data warehouser in on Azure Government

What did you think we meant?

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

Rubber glove time! Microsoft flings open gates to its very own Azure FHIR health data fest

SQL support and Release 4 arrives in cloudy open source service

Azure support arrives in Spinnaker, Azure DevOps rocks up in the UK

This is local storage for local people

Microsoft goes to great lengths to polish Azure Active Directory's password policies

Get it? Lengths. Users now have 240 extra characters to play with

Gitpod git-bolts git-IDE onto GitHub for in-browser code git-editing

Devs can deal with pull requests from Chrome

GitLab's move off Azure to Google cloud totally unrelated to Microsoft's GitHub acquisition. Yep

Source shack says it's chasing reliability and Kubernetes tech

Microsoft's Azure Portal: A boat load of updates, but is it too ambitious?

The spiritual successor to the Windows GUI

What a pain in the Azzz-ure: Microsoft Azure, SharePoint, etc knocked offline by DNS blunder

Technical term for today's three-hour outage is TITSUP: Total Inability To Support Users' Packets