Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

LightNeuron

LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.(Citation: ESET LightNeuron May 2019)
ID: S0395
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 28 Jun 2019
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

LightNeuron uses SMTP for C2.(Citation: ESET LightNeuron May 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LightNeuron is capable of executing commands via cmd.exe.(Citation: ESET LightNeuron May 2019)

Enterprise T1565 .002 Data Manipulation: Transmitted Data Manipulation

LightNeuron is capable of modifying email content, headers, and attachments during transit.(Citation: ESET LightNeuron May 2019)

Enterprise T1001 .002 Data Obfuscation: Steganography

LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.(Citation: ESET LightNeuron May 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.(Citation: ESET LightNeuron May 2019)

Enterprise T1114 .002 Email Collection: Remote Email Collection

LightNeuron collects Exchange emails matching rules specified in its configuration.(Citation: ESET LightNeuron May 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

LightNeuron uses AES to encrypt C2 traffic.(Citation: ESET LightNeuron May 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

LightNeuron has a function to delete files.(Citation: ESET LightNeuron May 2019)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.(Citation: ESET LightNeuron May 2019)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

LightNeuron encrypts its configuration files with AES-256.(Citation: ESET LightNeuron May 2019)

Enterprise T1505 .002 Server Software Component: Transport Agent

LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.(Citation: ESET LightNeuron May 2019)

Groups That Use This Software

ID Name References
G0010 Turla

(Citation: ESET LightNeuron May 2019) (Citation: Secureworks IRON HUNTER Profile)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.