HomeWinBuzzer NewsMicrosoft Exchange Servers Victim to One of the Most Sophisticated Backdoors to...

Microsoft Exchange Servers Victim to One of the Most Sophisticated Backdoors to Date

Russia-linked hackers are thought to have been targeting Microsoft Exchange servers since 2014, including political attacks in the Middle East, Brazil, and Eastern Europe.


ESET researchers have uncovered one of the most complex backdoors to date and it's for Microsoft Exchange Servers. Known as LightNeuron, it has been targetting users since at least 2014 and is highly stealthy.

The investigation points a strong finger at Turla, a Russian hacking group suspected of having links to their government. Infected networks contained the Turla malware on the same network, featured similar filenames, and reused Powershell scripts and email addresses.

Three victims were discovered, including a ministry of foreign affairs and a regional diplomatic organization. The organizations were located in Brazil, Eastern Europe, and the Middle East.

The First of Its Kind

ESET believes this is the first malware that targets Exchange specifically and the only to use a mail transfer agent. It integrates with the working flow of Exchange, acting as a transport agent to retain persistence while having the ability to block emails, modify them, send, and execute commands.

The command handler is different from the others that perform modifications on the emails. It is actually a backdoor controlled by emails. The commands are hidden in PDF or JPG attachments using steganography.

“The attackers just have to send an email containing a specially crafted PDF document or JPG image to any email address of the compromised organization,” explained ESET. “It allows full control over the Exchange server by using the commands shown in Table 2.”

From there, hackers can write an executable, delete or exfiltrate files, execute processes and command lines, or disable the backdoor for a set amount of time. It's also difficult to remove without breaking .

“Over the past years, we have published numerous blogposts and white papers detailing the activities of the Turla group, including man-in-the-middle attacks against adobe.com or sophisticated userland malware,” said ESET. “However, for now it seems that LightNeuron has taken up the mantle of the most advanced known malware in Turla's arsenal.”

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News