LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
LightNeuron can collect files from a local system.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
LightNeuron uses AES to encrypt C2 traffic.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
LightNeuron has used AES and XOR to decrypt configuration files and commands.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
LightNeuron is capable of executing commands via cmd.exe.[1] |
| Enterprise | T1071 | .003 | 应用层协议: Mail Protocols |
LightNeuron uses SMTP for C2.[1] |
| Enterprise | T1560 | 归档收集数据 |
LightNeuron contains a function to encrypt and store emails that it collects.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
LightNeuron can store email data in files and directories specified in its configuration, such as |
| Enterprise | T1565 | .002 | 数据操控: Transmitted Data Manipulation |
LightNeuron is capable of modifying email content, headers, and attachments during transit.[1] |
| Enterprise | T1001 | .002 | 数据混淆: Steganography |
LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.[1] |
| Enterprise | T1505 | .002 | 服务器软件组件: Transport Agent |
LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.[1] |
| Enterprise | T1106 | 本机API |
LightNeuron is capable of starting a process using CreateProcess.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
LightNeuron encrypts its configuration files with AES-256.[1] |
| Enterprise | T1114 | .002 | 电子邮件收集: Remote Email Collection |
LightNeuron collects Exchange emails matching rules specified in its configuration.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
LightNeuron has a function to delete files.[1] |
| Enterprise | T1082 | 系统信息发现 |
LightNeuron gathers the victim computer name using the Win32 API call |
|
| Enterprise | T1016 | 系统网络配置发现 |
LightNeuron gathers information about network adapters using the Win32 API call |
|
| Enterprise | T1119 | 自动化收集 |
LightNeuron can be configured to automatically collect files under a specified directory.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
LightNeuron can be configured to automatically exfiltrate files under a specified directory.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
LightNeuron has the ability to download and execute additional files.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
LightNeuron exfiltrates data over its email C2 channel.[1] |
|
| Enterprise | T1029 | 预定传输 |
LightNeuron can be configured to exfiltrate data during nighttime or working hours.[1] |
|