LightNeuron Threat Report: What is LightNeuron and How Does it Work?

The malware, called LightNeuron, is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. It has been used by [Turla] to target diplomatic and foreign affairs-related organizations, and the presence of certain strings in the malware suggests a Linux variant of LightNeuron exists. LightNeuron affects the Windows and Linux operating systems, and can be configured to automatically collect files under a specified directory. It uses SMTP for C2, and collects Exchange emails matching rules specified in its configuration. LightNeuron encrypts its configuration files with AES-256, and can also store email data in files and directories specified in its configuration. LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods. It can be configured to automatically exfiltrate files under a specified directory.

LightNeuron Malware Capabilities:

LightNeuron may employ a number of techniques to collect internal data from a system or network, including using a command and scripting interpreter to search for and copy specific files, using cloud APIs or command line interfaces to automatically collect data, or using application layer protocols associated with email delivery to communicate with a remote system. LightNeuron may also attempt to evade detection by matching or approximating the name or location of legitimate files, encrypting or obfuscating data, or deleting files left behind by their intrusion activity.According to the text, LightNeuron may use a variety of methods to exfiltrate data from a compromised system, including scheduling data exfiltration to blend in with normal activity, stealing data by exfiltrating it over an existing command and control channel, or transferring tools or other files from an external system into the compromised environment. Additionally, LightNeuron may abuse the Windows command shell or Microsoft transport agents to establish persistent access to systems, and may stage collected data in a central location prior to exfiltration. Finally, LightNeuron may use obfuscation to hide its tracks from analysis.

• The LightNeuron malware uses application layer protocols to communicate with remote systems in order to avoid detection. It also uses methods to collect internal data, such as using a command and scripting interpreter, and may match or approximate the name or location of legitimate files or resources when naming or placing them.
• LightNeuron may collect sensitive information from systems it accesses, including IP and MAC addresses, by using administration utilities such as Arp and ipconfig/ifconfig. It may also target Exchange servers, Office 365, or Google Workspace to collect email data using credentials or access tokens. To evade defenses, LightNeuron may encrypt, encode, or obfuscate its files or network traffic.
• The LightNeuron malware uses compression and encryption to hide its collected data and avoid detection. It may also delete any files left behind after its intrusion activities in order to minimize its footprint.
• LightNeuron is a malware that may search local system sources and schedule data exfiltration to blend traffic patterns with normal activity or availability.
• LightNeuron may transfer tools or other files from an external system into a compromised environment. This may be done through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment.LightNeuron may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.LightNeuron may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
• LightNeuron may collect data and stage it in a central location or directory on the local system. It may use native OS APIs to execute behaviors, and it may use obfuscated files or information to hide artifacts of an intrusion.
• LightNeuron is a malware that may use steganographic techniques to hide command and control traffic and exfiltrate data. It may collect information about the operating system and hardware to shape follow-on behaviors.

Ways to Mitigate LightNeuron Malware Attacks Capabilities

• LightNeuron malware attacks can be mitigated by analyzing network data for uncommon data flows, collecting file hashes, and performing file monitoring.
• The LightNeuron malware attack can be mitigated by taking measures to detect unusual login activity and file obfuscation. These techniques can help to identify malicious activity and prevent it from occurring.
• The LightNeuron malware attack can be mitigated in several ways. One is to monitor for command-line deletion functions that correlate with binaries or other files that an adversary may drop and remove. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
• The LightNeuron malware attack can be mitigated by monitoring process file access patterns and network behavior, and analyzing network data for uncommon data flows. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious, as may network connections to the same destination that occur at the same time of day for multiple days. Packet contents should be analyzed to detect communications that do not follow the expected protocol behavior for the port that is being used.
• The LightNeuron malware attack can be mitigated in several ways, including monitoring for file creation and files transferred into the network, and monitoring for unusual processes with external network connections creating files on-system. Additionally, the use of utilities such as ftp that does not normally occur may be suspicious. Scripts running out of cycle from patching or other administrator functions are also suspicious.
• The LightNeuron malware attack can be mitigated by monitoring API calls, detecting the action of deobfuscating or decoding files or information, and collecting scripts for analysis. Process and command-line monitoring can also be used to detect potentially malicious behavior related to scripts and system utilities.
• The LightNeuron malware attack can be mitigated by analyzing network data for unusual data flows, monitoring process file access patterns and network behavior, and by viewing data and events as part of a chain of behavior that could lead to other activities.