Connect with us

Hi, what are you looking for?



Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

The Russia-linked threat group known as Turla has been using a sophisticated backdoor to hijack Microsoft Exchange mail servers, ESET reported on Tuesday.

The Russia-linked threat group known as Turla has been using a sophisticated backdoor to hijack Microsoft Exchange mail servers, ESET reported on Tuesday.

The malware, dubbed LightNeuron, allows the attackers to read and modify any email passing through the compromised mail server, create and send new emails, and block emails to prevent the intended recipients from receiving them.

According to ESET, LightNeuron has been used by Turla — the group is also known as Waterbug, KRYPTON and Venomous Bear — since at least 2014 to target Microsoft Exchange servers. The cybersecurity firm has analyzed a Windows version of the malware, but evidence suggests a Linux version exists as well.

ESET has identified three organizations targeted with LightNeuron, including a Ministry of Foreign Affairs in an Eastern European country, a regional diplomatic organization in the Middle East, and an entity in Brazil. ESET became aware of the Brazilian victim based on a sample uploaded to VirusTotal, but it has not been able to determine what type of organization has been targeted.

The company’s researchers have determined that LightNeuron leverages a persistence technique not used by any other piece of malware, a transport agent. Transport agents are designed to allow users to install custom software on Exchange servers.

The malware runs with the same level of trust as spam filters and other security products, ESET said.


As for command and control (C&C), the malware is controlled by attackers using emails containing specially crafted PDF documents or JPG images. The malware can recognize these emails and extract the commands from the PDF or JPG files.

The commands supported by LightNeuron allow attackers to take complete control of a server, including writing and executing files, deleting files, exfiltrating files, executing processes and commands, and disabling the backdoor for a specified number of minutes.

Advertisement. Scroll to continue reading.

Last year, ESET detailed a backdoor used by Turla to target Microsoft Outlook. That piece of malware had also used PDF files attached to emails for command and control purposes.

ESET has linked LightNeuron to Turla based on several pieces of evidence, including the presence of known Turla malware on compromised Exchange servers, the use of file names similar to ones known to be used by the group, and the use of a packer exclusively utilized by the threat actor.

In an APT trends report published last year by Kaspersky Lab, the Russian cybersecurity firm also mentioned LightNeuron and attributed it with medium confidence to Turla. Kaspersky had spotted victims in the Middle East and Central Asia.

ESET also noticed that the compromised Exchange servers received commands mostly during work hours in UTC+3, the Moscow time zone. Furthermore, the attackers apparently took a break between December 28, 2018, and January 14, 2019, when many Russians take time off to celebrate the New Year and Christmas.

Related: Turla Cyberspies Use New Dropper in G20 Attacks

Related: Turla-Linked Group Targets Embassies, Ministries

Related: Turla Linked to One of the Earliest Cyberespionage Operations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.