Turla Light Neuron malware that targets Microsoft Exchange servers made a few appearances in the past few days (August 2019). Check out our Yara rules for Turla’s Light Neuron, and feel free to modify and of course Happy Hunting!
rule turla_LightNeuron_dll { meta: author = "MalCrawler" twitter = "@malcrawler" date = "08/19/2019" Malware = "LightNeuron" Group = "Turla" hash1 = "031782fccc281aca377cef1d6d6ffc6b" hash2 = "5924eac8af1f3e3f1f825998bc59c062" hash3 = "9456197d0f8b6cabfea5f02ffb0176dd" strings: $mzhdr = "MZ" $str1 = {395C2474 7548395C 24707542 395F58} // 9\$tuH9\$puB9_X $str2 = {48896C24 18565741 54415641 5748} // VWATAVAWH $str3 = {633A5C77 696E646F 77735C73 65727669 63657072 6F66696C 65735C6E 6574776F 726B7365 72766963 655C6170 70646174 61} // c:\windows\serviceprofiles\networkservice\appdata condition: ($mzhdr at 0) and all of ($str*) } rule turla_LightNeuron_transporter { meta: author = "MalCrawler" twitter = "@malcrawler" date = "08/25/2019" Malware = "LightNeuron" Group = "Turla" hash1 = "55319464e46e2c31d22b39b46d5477fb" hash2 = "2b14f9f3c758a2cf842a61aca6a3455d" hash3 = "52beacccecd9342421aa682ad538e677" strings: $mzhdr = "MZ" $loader = {3C4D6F64 756C653E 004D6963 726F736F 66742E45 78636861 6E67652E 4D657373 6167696E 67506F6C 69636965 732E5365 61726368 2E657865 0050726F 6772616D 004D6963 726F736F 66742E45 78636861 6E67652E 4D657373 6167696E 67506F6C 69636965 732E5365 61726368 00636F6D 6D6F6E5F 75746C00 43616C6C 4261636B 004C6962 43616C6C 6572004A 6F75726E 616C5265 706F7274 4167656E 74466163 746F7279 004A6F75 726E616C 5265706F 72744167 656E7400 4D657373 6167696E 67526F75 74696E67 4167656E 74466163 746F7279 004D6573 73616769 6E67526F 7574696E 67416765 6E740053 65747469 6E677300 4D696372 6F736F66 742E4578 6368616E 67652E4D 65737361 67696E67 506F6C69 63696573 2E536561 7263682E 50726F70 65727469 6573006D 73636F72 6C696200 53797374 656D004F 626A6563 74004D75 6C746963 61737444 656C6567 61746500 4D696372 6F736F66 742E4578 6368616E 67652E44 6174612E 5472616E 73706F72 74004D69 63726F73 6F66742E 45786368 616E6765 2E446174 612E5472 616E7370 6F72742E 526F7574 696E6700 526F7574 696E6741 67656E74 46616374 6F727900 526F7574 696E6741 67656E74 004D6963 726F736F 66742E45 78636861 6E67652E 44617461 2E547261 6E73706F 72742E53 6D747000 536D7470 52656365 69766541 67656E74 46616374 6F727900 536D7470 52656365 69766541 67656E74 00537973 74656D2E 436F6E66 69677572 6174696F 6E004170 706C6963 6174696F 6E536574 74696E67 73426173 65004D61 696E} $str1 = "Microsoft.Exchange.MessagingPolicies.Search.exe" $str2 = "Microsoft.Exchange.MessagingPolicies.Search" $str3 = "Microsoft.Exchange.MessagingPolicies.Search.Properties" $str4 = "Microsoft.Exchange.Data.Transport" $str5 = "Microsoft.Exchange.Data.Transport.Routing" $str6 = "c:\\windows\\serviceprofiles\\networkservice\\appdata\\local\\temp\\tmp8621.tmp" wide $str7 = "BPA.Transport.dll" wide condition: ($mzhdr at 0) and all of ($str*) or 1 of ($loader*) }
Something went wrong with the twitter.