Skip to content

S0395 LightNeuron

LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.1

Item Value
ID S0395
Associated Names
Type MALWARE
Version 1.1
Created 28 June 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.003 Mail Protocols LightNeuron uses SMTP for C2.1
enterprise T1560 Archive Collected Data LightNeuron contains a function to encrypt and store emails that it collects.1
enterprise T1119 Automated Collection LightNeuron can be configured to automatically collect files under a specified directory.1
enterprise T1020 Automated Exfiltration LightNeuron can be configured to automatically exfiltrate files under a specified directory.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell LightNeuron is capable of executing commands via cmd.exe.1
enterprise T1005 Data from Local System LightNeuron can collect files from a local system.1
enterprise T1565 Data Manipulation -
enterprise T1565.002 Transmitted Data Manipulation LightNeuron is capable of modifying email content, headers, and attachments during transit.1
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.1
enterprise T1140 Deobfuscate/Decode Files or Information LightNeuron has used AES and XOR to decrypt configuration files and commands.1
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection LightNeuron collects Exchange emails matching rules specified in its configuration.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography LightNeuron uses AES to encrypt C2 traffic.1
enterprise T1041 Exfiltration Over C2 Channel LightNeuron exfiltrates data over its email C2 channel.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion LightNeuron has a function to delete files.1
enterprise T1105 Ingress Tool Transfer LightNeuron has the ability to download and execute additional files.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.1
enterprise T1106 Native API LightNeuron is capable of starting a process using CreateProcess.1
enterprise T1027 Obfuscated Files or Information LightNeuron encrypts its configuration files with AES-256.1
enterprise T1029 Scheduled Transfer LightNeuron can be configured to exfiltrate data during nighttime or working hours.1
enterprise T1505 Server Software Component -
enterprise T1505.002 Transport Agent LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.1
enterprise T1082 System Information Discovery LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.1
enterprise T1016 System Network Configuration Discovery LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo.1

Groups That Use This Software

ID Name References
G0010 Turla 12

References