LightNeuron is a backdoor specifically designed to target Microsoft Exchange mail servers. It permits attackers to read and reroute all email passing through the server and execute commands on the server hidden in incoming email attachments.
A recent paper published by ESET describes how the malware functions and the risks it poses. The researcher says:
“LightNeuron is a piece of malware specifically designed to target Microsoft Exchange servers. It has two facets: spying on emails and acting as a full-feature backdoor. While rootkits and bootkits have an unmatched stealthiness in the malware domain, LightNeuron is uncommonly stealthy for “regular” malware. To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen. The Command and Control protocol is fully based on emails and uses Steganography to store data in PDF and JPG attachments. Given that, in the Microsoft Exchange architecture, the malware is installed at the same level as anti-spam and other email security solutions, it allows the malware to bypass them easily. Using a nearly undetectable Command and Control channel allows the malware to stay under the radar for a long period.”
Steganography is the practice of concealing a file or message within another file such as an image, video or PDF document. Because the malware does not use HTTP traffic to communicate with its command and control servers, it is not detected by the usual Intrusion Detection Systems deployed on corporate networks.
LightNeuron functions by acting as a Transport Agent within the Exchange Server. Microsoft Exchange allows its functionality to be extended through Transport Agents supplied by Microsoft and third parties. Typically Transport Agents perform functions such as filtering spam, scanning for malware in attachments and adding disclaimers and signatures to outbound emails.
Malicious Transport Agents can be installed by the execution of PowerShell commands on the Exchange server.
Removal of the LightNeuron malware is not a simple task, as deletion of the malware executable will render the Exchange Server inoperable; the malware must first be removed from the Exchange configuration. Instructions explaining how to remove the LightNeuron malware are provided in the paper from ESET.
The first step in a LightNeuron attack is for the attackers to obtain a foothold in the target network using more common malware tactics such as spear-phishing or malicious email attachments. If a foothold can be established anywhere in the network, this can then be leveraged to explore the network and to eventually gain administrative access to the Exchange server to install LightNeuron.
System Administrators can protect their networks from LightNeuron and similar malware by:
- Use dedicated accounts (and monitor their use) for the administration of Exchange servers with strong, unique passwords and two-factor authentication.
- Restrict PowerShell execution.
- Regularly check that all the installed Transport Agents are signed by a trusted provider by reviewing the contents of: <ExchangeInstallFolder>\TransportRoles\Agents\agents.config.