Attacks of the hacker group Turla unmasked
Eset researchers have discovered a new espionage program that can be traced back to the Turla cyber espionage group.
The current case involves a new type of backdoor called LightNeuron, which targets Microsoft Exchange Server as an Advanced Persistent Threat (APT). It is the first known malicious program to abuse the Exchange transport agent. This allows Turla (also called Snake or Uroburos) to read, modify or block any email passing through the mail server. It can even send messages on behalf of legitimate users. So far, it is known that the backdoor has been used against targets in Europe, the Middle East and Brazil.
"Kernel rootkits used to be a tried-and-true tool for successful APTs. But these have become less important as security architecture in operating systems has improved. Backdoors like LightNeuron could fill this gap and become the holy grail of cybercriminals," explained Thomas Uhlemann, Eset Security Specialist. "With the new malware, Turla scams itself of extensive access rights to Exchange Server and thus takes full control of the attacked organization's entire email communication."
Attacks on Exchange Server
According to the analyses, the backdoor has been active since 2014. What is new about this spyware is that it sets up a malicious transport agent in Microsoft Exchange. Once installed, it processes all incoming and outgoing emails. Transport agents are otherwise used as spam filters, for example. To send commands to the spyware, the criminals use manipulated emails with PDF and JPG files attached. Hidden commands are embedded in these files using steganographic techniques.
Europe are also among the destinations
Turla is one of the oldest cyber espionage groups with more than a decade of experience. The group focuses mainly on high-profile targets such as governments, commercial enterprises, as well as diplomatic institutions in Europe, Central Asia and the Middle East. Major organizations such as the German Foreign Office, the U.S. Department of Defense, the Swiss defense contractor Ruag, and the French Army have already been successfully infiltrated by Turla. With LightNeuron, the cyber spies are currently targeting foreign ministries and diplomatic missions in Eastern Europe and the Middle East. It is currently unclear whether there are other targets. An expansion of the campaign to Western Europe is not technologically problematic for the Turla espionage group, according to Eset's assessment.
The entire results available on WeLiveSecurity.
