The Russia-linked threat group known as Turla has been using a sophisticated backdoor to hijack Microsoft Exchange mail servers, ESET reported on Tuesday.
The malware, dubbed LightNeuron, allows the attackers to read and modify any email passing through the compromised mail server, create and send new emails, and block emails to prevent the intended recipients from receiving them.
According to ESET, LightNeuron has been used by Turla — the group is also known as Waterbug, KRYPTON and Venomous Bear — since at least 2014 to target Microsoft Exchange servers. The cybersecurity firm has analyzed a Windows version of the malware, but evidence suggests a Linux version exists as well.
ESET has identified three organizations targeted with LightNeuron, including a Ministry of Foreign Affairs in an Eastern European country, a regional diplomatic organization in the Middle East, and an entity in Brazil. ESET became aware of the Brazilian victim based on a sample uploaded to VirusTotal, but it has not been able to determine what type of organization has been targeted.
The company’s researchers have determined that LightNeuron leverages a persistence technique not used by any other piece of malware, a transport agent. Transport agents are designed to allow users to install custom software on Exchange servers.
The malware runs with the same level of trust as spam filters and other security products, ESET said.
As for command and control (C&C), the malware is controlled by attackers using emails containing specially crafted PDF documents or JPG images. The malware can recognize these emails and extract the commands from the PDF or JPG files.
The commands supported by LightNeuron allow attackers to take complete control of a server, including writing and executing files, deleting files, exfiltrating files, executing processes and commands, and disabling the backdoor for a specified number of minutes.
Last year, ESET detailed a backdoor used by Turla to target Microsoft Outlook. That piece of malware had also used PDF files attached to emails for command and control purposes.
ESET has linked LightNeuron to Turla based on several pieces of evidence, including the presence of known Turla malware on compromised Exchange servers, the use of file names similar to ones known to be used by the group, and the use of a packer exclusively utilized by the threat actor.
In an APT trends report published last year by Kaspersky Lab, the Russian cybersecurity firm also mentioned LightNeuron and attributed it with medium confidence to Turla. Kaspersky had spotted victims in the Middle East and Central Asia.
ESET also noticed that the compromised Exchange servers received commands mostly during work hours in UTC+3, the Moscow time zone. Furthermore, the attackers apparently took a break between December 28, 2018, and January 14, 2019, when many Russians take time off to celebrate the New Year and Christmas.
Related: Turla Cyberspies Use New Dropper in G20 Attacks
Related: Turla-Linked Group Targets Embassies, Ministries
Related: Turla Linked to One of the Earliest Cyberespionage Operations

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
- SASE Firm Cato Networks Raises $238 Million at $3 Billion Valuation
- Clorox Blames Damaging Cyberattack for Product Shortage
- Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products
- CISA Says Owl Labs Vulnerabilities Requiring Close Physical Range Exploited in Attacks
- Cybersecurity M&A Roundup for First Half of September 2023
Latest News
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- MGM Resorts Computers Back Up After 10 Days as Analysts Eye Effects of Casino Cyberattacks
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
- Staying on Topic in an Off Topic World
- Discern Security Emerges From Stealth Mode With $3 Million in Funding
- DHS Publishes New Recommendations on Cyber Incident Reporting
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
