Register to stream ATT&CKcon 2.0 October 29-30


LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]

ID: S0395
Platforms: Windows, Linux
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection LightNeuron can be configured to automatically collect files under a specified directory. [1]
Enterprise T1020 Automated Exfiltration LightNeuron can be configured to automatically exfiltrate files under a specified directory. [1]
Enterprise T1059 Command-Line Interface LightNeuron is capable of executing commands via cmd.exe. [1]
Enterprise T1022 Data Encrypted LightNeuron contains a function to encrypt and store emails that it collects. [1]
Enterprise T1005 Data from Local System LightNeuron can collect files from a local system. [1]
Enterprise T1001 Data Obfuscation LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods. [1]
Enterprise T1074 Data Staged LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information LightNeuron has used AES and XOR to decrypt configuration files and commands. [1]
Enterprise T1114 Email Collection LightNeuron collects emails matching rules specified in its configuration. [1]
Enterprise T1106 Execution through API LightNeuron is capable of starting a process using CreateProcess. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel LightNeuron exfiltrates data over its email C2 channel. [1]
Enterprise T1107 File Deletion LightNeuron has a function to delete files. [1]
Enterprise T1036 Masquerading LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat. [1]
Enterprise T1027 Obfuscated Files or Information LightNeuron encrypts its configuration files with AES-256. [1]
Enterprise T1105 Remote File Copy LightNeuron has the ability to download and execute additional files. [1]
Enterprise T1029 Scheduled Transfer LightNeuron can be configured to exfiltrate data during nighttime or working hours. [1]
Enterprise T1071 Standard Application Layer Protocol LightNeuron uses SMTP for C2. [1]
Enterprise T1032 Standard Cryptographic Protocol LightNeuron uses AES to encrypt C2 traffic. [1]
Enterprise T1082 System Information Discovery LightNeuron gathers the victim computer name using the Win32 API call GetComputerName. [1]
Enterprise T1016 System Network Configuration Discovery LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo. [1]
Enterprise T1493 Transmitted Data Manipulation LightNeuron is capable of modifying email content, headers, and attachments during transit. [1]

Groups That Use This Software

ID Name References
G0010 Turla [1]