A Turla backdoor targeted at Microsoft Exchange mail servers and controllable remotely via email attachments using steganography was discovered while used in attacks against multiple targets from around the world.
The specific targeting of Microsoft Exchange servers by malware is in itself unique, but even more interesting is the use of Transport Agents as a persistence mechanism. Transport Agents are used in a Microsoft Exchange mail flow to allow custom software to be involved in the processing of email messages. By creating a custom Transport Agent, the Turla threat group was able to apply a custom rule-set to emails passing through compromised Exchange servers allowing them to read, modify, compose, send, or delete emails. Using the rule file for the Transport Agent, the attackers implemented handlers that included the ability to execute commands. If an attacker sends an email to the victim organization with either a PDF or JPG attachment, a rule is applied that decodes commands that were hidden in the documents via steganography methods. The commands enable full control over the Exchange server via functions such as executing processes, exfiltrating files, and writing executables.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
Block all threat indicators at your respective controls.