Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

LightNeuron

LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.(Citation: ESET LightNeuron May 2019)

ID: S0395

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 28 Jun 2019

Last Modified: 30 Mar 2020

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.003	Application Layer Protocol: Mail Protocols	LightNeuron uses SMTP for C2.(Citation: ESET LightNeuron May 2019)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	LightNeuron is capable of executing commands via cmd.exe.(Citation: ESET LightNeuron May 2019)
Enterprise	T1565	.002	Data Manipulation: Transmitted Data Manipulation	LightNeuron is capable of modifying email content, headers, and attachments during transit.(Citation: ESET LightNeuron May 2019)
Enterprise	T1001	.002	Data Obfuscation: Steganography	LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.(Citation: ESET LightNeuron May 2019)
Enterprise	T1074	.001	Data Staged: Local Data Staging	LightNeuron can store email data in files and directories specified in its configuration, such as `C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\`.(Citation: ESET LightNeuron May 2019)
Enterprise	T1114	.002	Email Collection: Remote Email Collection	LightNeuron collects Exchange emails matching rules specified in its configuration.(Citation: ESET LightNeuron May 2019)
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	LightNeuron uses AES to encrypt C2 traffic.(Citation: ESET LightNeuron May 2019)
Enterprise	T1070	.004	Indicator Removal: File Deletion	LightNeuron has a function to delete files.(Citation: ESET LightNeuron May 2019)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as `winmail.dat`.(Citation: ESET LightNeuron May 2019)
Enterprise	T1505	.002	Server Software Component: Transport Agent	LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.(Citation: ESET LightNeuron May 2019)

ID	Name	References
Groups That Use This Software
G0010	Turla	(Citation: ESET LightNeuron May 2019) (Citation: Secureworks IRON HUNTER Profile)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

LightNeuron

Techniques Used

Groups That Use This Software

References