The worm Uroburos returns. (Through the backdoor.)
ESET published details on LightNeuron, a sophisticated backdoor developed by the Russian cyber espionage group Turla (WeLiveSecurity). The malware is installed as a transport agent in victims' Microsoft Exchange servers. ESET says this is a novel persistence technique which allows the malware to operate "at the same level of trust as security products such as spam filters." As a result, LightNeuron can read, modify, or block any inbound or outbound email before it reaches its recipient. It can also create and send new emails from the server.
The attackers could control the Exchange server by sending commands steganographically hidden inside PDF and JPG email attachments. When an email containing one such file is sent to a compromised organization, LightNeuron will check for a signature. If it doesn't find a match, the email is sent on to its destination. If the signature is met, the malware will decode and execute the attackers' command in the attachment. The email is then blocked before leaving the server, so no one at the organization actually receives the message.
Kaspersky Lab briefly mentioned LightNeuron in July of last year, and attributed it to Turla with medium confidence (ZDNet). ESET says the two known victims of LightNeuron were a foreign ministry in Eastern Europe and a regional diplomatic organization in the Middle East. An unknown organization in Brazil also fell victim to the malware, as indicated by a sample uploaded to VirusTotal from that country (Dark Reading).
The Middle Kingdom's contractor strikes back.
A report by Symantec revealed Monday that the Chinese cyber espionage group Buckeye, also known as APT3 or Gothic Panda, was using Equation Group (generally thought to be an NSA operation) tools and exploits in 2016, at least a year before the Shadow Brokers leaks in 2017. Symantec researchers believe the most likely explanation is that Buckeye reverse engineered the tools after observing an Equation Group operation.
Specifically, what Buckeye got was the DoublePulsar backdoor and the Bemstour installation tool. It did not use them against US targets, either because Buckeye assumed the Americans would be wise to their own exploits or because Buckeye wished to avoid tipping its hand to Fort Meade. Instead, the threat actor targeted scientific research and educational institutions in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. In at least one case government networks were also attacked.
Buckeye is generally held to be a contractor in Guangzhou working for China’s Ministry of State Security. The company is the Guangzhou Bo Yu Information Technology Company, also known as Boyusec. Three Boyusec employees were indicted by the US in November 2017 on charges of "computer hacking, theft of trade secrets, conspiracy and identity theft directed at U.S. and foreign employees and computers of three corporate victims in the financial, engineering and technology industries between 2011 and May 2017." Boyusec went quiet after the Justice Department went noisy, and there has been speculation that the company had shut down. But as Symantec pointed out, if Boyusec is out of the business, then who's using the tools? Either Boyusec is back, or it never went away, or it shared its tools with someone else. As a Symantec researcher put it, "People come and go. The tools live on."