Hello, welcome to the Thursday, May 9th, 2019 edition of the San Center Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm quoting from San Diego, California.

In case you're ever running out of interesting Malware to analyze, Pratt has a new game for you email roulette that he's playing using virus totals threat

intelligence service. With the service, he went through recent submissions and found an

interesting email in Korean debt that then included ransomware. Brad also shows how to actually get the email message that belongs to the particular attachment

that was flagged by these antivirus engines.

The malware itself turned out to be yet another version of Gant Crab,

which is sort of one of the big ransomer families going around today.

And ESET security came across an interesting, stealthy backdoor in Microsoft Exchange servers

that they're calling Light Neuron. Now the trick here is that this software installs itself

as a mail transport agent, so it really is a module in that way in Microsoft Exchange running

as a system. Once installed as a mail transport agent, this particular module has access to all emails.

It's also able to send emails via the Exchange Server, and this is also then used as a command and control channel.

In order to send a command to Light Neurone, the attacker has to send, for example, a PDF or a JPEC that

will include instructions for LightNoron that it will then execute. So for a Mail Server, this

is way more stealthy than anything else like HTTP requests or DNS and the like, because, well, you would expect

a mail server to receive and send email.

And the emails themselves, of course, look just like any other email, just that they have

this JPEC or PDF attachment, which again isn't in itself all that suspicious.

And to further evade detection, the light neuron is also quite selective in what emails

it will actually crap and forward. Apparently, this particular malware has been going

around for about four years now

...