The sub-techniques beta is now live! Read the release blog post for more info.


LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]

ID: S0395
Platforms: Windows, Linux
Version: 1.0
Created: 28 June 2019
Last Modified: 16 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

LightNeuron can be configured to automatically collect files under a specified directory.[1]

Enterprise T1020 Automated Exfiltration

LightNeuron can be configured to automatically exfiltrate files under a specified directory.[1]

Enterprise T1059 Command-Line Interface

LightNeuron is capable of executing commands via cmd.exe.[1]

Enterprise T1022 Data Encrypted

LightNeuron contains a function to encrypt and store emails that it collects.[1]

Enterprise T1005 Data from Local System

LightNeuron can collect files from a local system.[1]

Enterprise T1001 Data Obfuscation

LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.[1]

Enterprise T1074 Data Staged

LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

LightNeuron has used AES and XOR to decrypt configuration files and commands.[1]

Enterprise T1114 Email Collection

LightNeuron collects emails matching rules specified in its configuration.[1]

Enterprise T1106 Execution through API

LightNeuron is capable of starting a process using CreateProcess.[1]

Enterprise T1041 Exfiltration Over Command and Control Channel

LightNeuron exfiltrates data over its email C2 channel.[1]

Enterprise T1107 File Deletion

LightNeuron has a function to delete files.[1]

Enterprise T1036 Masquerading

LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.[1]

Enterprise T1027 Obfuscated Files or Information

LightNeuron encrypts its configuration files with AES-256.[1]

Enterprise T1105 Remote File Copy

LightNeuron has the ability to download and execute additional files.[1]

Enterprise T1029 Scheduled Transfer

LightNeuron can be configured to exfiltrate data during nighttime or working hours.[1]

Enterprise T1505 Server Software Component

LightNeuron uses a malicious Microsoft Exchange transport agent for persistence.[1]

Enterprise T1071 Standard Application Layer Protocol

LightNeuron uses SMTP for C2.[1]

Enterprise T1032 Standard Cryptographic Protocol

LightNeuron uses AES to encrypt C2 traffic.[1]

Enterprise T1082 System Information Discovery

LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.[1]

Enterprise T1016 System Network Configuration Discovery

LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo.[1]

Enterprise T1493 Transmitted Data Manipulation

LightNeuron is capable of modifying email content, headers, and attachments during transit.[1]

Groups That Use This Software

ID Name References
G0010 Turla [1]