LightNeuron, malware for Microsoft Exchange that can read, modify and block emails

ESET security researchers have discovered the LightNeuron backdoor, which affects Microsoft Exchange mail servers and which can read, modify, and block any e-mail messages passing through the server. As if that were not enough, LightNeuron can allow sending e-mails in disguise of a legitimate user, obviously chosen by those who control the backdoor.

The malware hides inside PDF and JPG documents and presents emails as harmless by using steganography techniques. According to investigations and analyzes conducted by ESET researchers, the LightNeuron backdoor is part of the arsenal of instruments of the espionage group known as Turla or Snake.

According to the researchers, LightNeuron is the first identified malware that is able to modify the transport mechanism of the Microsoft Exchange server, and is able to operate with the same level of reliability as security products such as spam filters, and it is able to give the attacker total control over the mail server and, consequently, over-all email communications that pass through the server. It is a tool that can be used for espionage and information and document stealing purposes, in a totally stealthy way.

LightNeuron has hit Microsoft Exchange mail servers since at least 2014 and ESET researchers have certainly identified three organizations that have fallen victim to malware, including a Ministry of Foreign Affairs of an Eastern European country and a diplomatic organization of the Middle Eastern area. However, considering the duration of the campaign, it is logical to imagine that many other realities have been affected by the malware.

The elimination of LightNeuron appears rather complicated as the simple removal of malicious files would have the effect of causing malfunctions of the e-mail server. Key information and technical details of LightNeuron are available on the research paper issued by ESET and available here.