Want rootkit-level access without the hassle? Enter, LightNeuron for Exchange Server

Microsoft software-targeting malware gets commands from code hidden in attachments

By Shaun Nichols in San Francisco


A recently uncovered malware infection uses the basic functions of Microsoft's Exchange Server to remotely monitor and control computer systems.

Researchers at ESET said this week the software nasty, known as LightNeuron, is particularly difficult for admins to detect as it takes advantage of legitimate components within Exchange.

Specifically, ESET says, LightNeuron runs a combination of a poisoned DLL and a specially-crafted Transport Agent. Designed for things like spam filtering and screening attachments, Transport Agents analyze all messages going in and out of a server.

Understandably, getting a malicious Transport Agent on a server (such as via a PowerShell command) would be particularly useful for someone wanting to spy on a company, and a bad thing for admins.

"To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen," ESET said.

"Moreover, in the few cases we studied, LightNeuron was running with SYSTEM privileges. It is typically hard to gain this level of privilege on a Microsoft Exchange server, as it is one of the most critical assets in an organization. Thus, once compromised, it is likely that it will stay undetected for months or years."

The second half of the infection is a malicious DLL that processes and executes additional commands. The library is able to carry out orders to do things like send mail, log and transmit activity and modify messages that travel over the server.

Sending those commands requires embedding them into file attachments. In the case ESET observed, this was done by steganography- entering the commands into the hex code of a PDF or JPG file.

Extortionist hacks IT provider used by the stars of tech leaks customer info after ransom goes unpaid


The attacker would put the command into the file and send it as an attachment in a message to the infected server. The message would be spotted by LightNeuron's transport agent, which would then pass it along to the DLL, where the image information would be accessed and any commands within it executed.

Thus, the bad guys (in this case Turla, a long-running operation targeting diplomatic operations in Europe and the Middle East) are able to keep remote access and control of Exchange Servers without ever catching the eye of malware or spam filters on the infected machine.

Even if it is caught, wiping out the infection with anything short of a complete re-write of the server is a tedious process.

"The cleaning of LightNeuron is not an easy task," ESET explained.

"Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails."

Rather, the security bod recommends that admins instead lock down the openings used to get LightNeuron on a server in the first place. Admin accounts should be well-secured with 2FA and PowerShell command access should be strictly limited and Transport Agent installations closely monitored. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Azure consultant to sue Google for linking his cached pics to cloned site, breach of copyright

High Court judge reverses earlier toss-out decision

Microsoft goes to great lengths to polish Azure Active Directory's password policies

Get it? Lengths. Users now have 240 extra characters to play with

Y2K, Windows NT4 Server and Notes. It's a 1990s Who, Me? special

Who, Me? Or: yet more uses for CD trays in racked servers

Google age discrimination case: Supervisor called me 'grandpa', engineer claims

Suit filed alleging HR failed to protect staffer from harassment

Microsoft: You looking at me funny? Oh, you just want to sign in

Password-less logins for Edge users with Windows Hello or a FIDO2 dongle. Like, 3 people

Azure giveth and Azure taketh away while the Windows 10 19H1 issue list keeps a-shrinking

Also: Microsoft publishes an analysis into a third party vulnerability. Which third party? Hint: it rhymes with "My Way"

On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE

Update Internet Explorer now after Google detects attacks in the wild

It's getting more and more Azure'd: For Microsoft, sorry seems to be the hardest word

Overheating data centres, Bing Visual Search, acquisitions – it's the week at Redmond

Microsoft giveth and Microsoft taketh away: Partner boss explains yanking of free licences

Updated Cloud giant's blunt instrument clobbers loyal resellers too

Microsoft to run VMware on Azure, on bare metal. Repeat. Microsoft to run VMware on Azure.

VMware-certified partners will help as Redmond also starts vSphere-to-Azure migrations