SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lightneuron (Back to overview)

LightNeuron

aka: NETTRANS, XTRANS

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-06-20SymantecSymantec DeepSight Adversary Intelligence Team, Symantec Network Protection Security Labs
@online{team:20190620:waterbug:9c50dd1, author = {Symantec DeepSight Adversary Intelligence Team and Symantec Network Protection Security Labs}, title = {{Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments}}, date = {2019-06-20}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments}, language = {English}, urldate = {2020-01-13} } Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
LightNeuron
2019-05-07ESET ResearchMatthieu Faou
@online{faou:20190507:turla:0300283, author = {Matthieu Faou}, title = {{Turla LightNeuron: An email too far}}, date = {2019-05-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/}, language = {English}, urldate = {2019-11-14} } Turla LightNeuron: An email too far
LightNeuron
2019-05ESET ResearchMatthieu Faou
@techreport{faou:201905:turla:5a8a05f, author = {Matthieu Faou}, title = {{TURLA LIGHTNEURON: One email away from remote code execution}}, date = {2019-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf}, language = {English}, urldate = {2020-01-08} } TURLA LIGHTNEURON: One email away from remote code execution
LightNeuron
2018-07-10Kaspersky LabsGReAT
@online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } APT Trends Report Q2 2018
LightNeuron PoorWeb
Yara Rules
[TLP:WHITE] win_lightneuron_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_lightneuron_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 498bc7 0f1f4000 8b7808 488b10 498bcc 443bf7 7d27 }
            // n = 7, score = 100
            //   498bc7               | cmp                 eax, edx
            //   0f1f4000             | jl                  0x4bb
            //   8b7808               | inc                 esp
            //   488b10               | mov                 dword ptr [ebp], ebx
            //   498bcc               | mov                 eax, ebx
            //   443bf7               | jmp                 0x4d5
            //   7d27                 | dec                 eax

        $sequence_1 = { eb4b 488bcb e8???????? 83f801 753e 8b834c3f0000 4d8bc4 }
            // n = 7, score = 100
            //   eb4b                 | movzx               eax, al
            //   488bcb               | inc                 edx
            //   e8????????           |                     
            //   83f801               | movzx               eax, byte ptr [eax + 0x3a540]
            //   753e                 | shl                 ebx, 8
            //   8b834c3f0000         | movzx               ecx, al
            //   4d8bc4               | inc                 edx

        $sequence_2 = { 7509 4983e804 482bca 75f1 488d442460 833800 750a }
            // n = 7, score = 100
            //   7509                 | test                eax, eax
            //   4983e804             | jne                 0x1f0e
            //   482bca               | dec                 ebp
            //   75f1                 | mov                 edi, ecx
            //   488d442460           | or                  ebx, eax
            //   833800               | inc                 ecx
            //   750a                 | movzx               eax, byte ptr [eax]

        $sequence_3 = { 0f1f00 41833c9c00 7506 4883eb01 75f3 8b442460 488d5301 }
            // n = 7, score = 100
            //   0f1f00               | mov                 ebx, dword ptr [esi + edx*4 + 0x3f5c0]
            //   41833c9c00           | shr                 eax, 0x10
            //   7506                 | movzx               ecx, al
            //   4883eb01             | mov                 eax, edi
            //   75f3                 | inc                 ebp
            //   8b442460             | xor                 ebx, dword ptr [esi + ecx*4 + 0x3f9c0]
            //   488d5301             | inc                 ecx

        $sequence_4 = { 41884101 75d5 33c0 488b5c2430 488b6c2438 488b742440 488b7c2448 }
            // n = 7, score = 100
            //   41884101             | dec                 eax
            //   75d5                 | mov                 dword ptr [esp + 0x28], ebx
            //   33c0                 | mov                 dword ptr [esp + 0x20], eax
            //   488b5c2430           | inc                 ebp
            //   488b6c2438           | xor                 eax, eax
            //   488b742440           | mov                 edx, 0xba
            //   488b7c2448           | mov                 ecx, 0x100000

        $sequence_5 = { 4433a48580d90300 410fb6c3 4433a48580d50300 4533650c 83ff0c 0f8e06020000 }
            // n = 6, score = 100
            //   4433a48580d90300     | dec                 eax
            //   410fb6c3             | lea                 eax, [edx + ecx]
            //   4433a48580d50300     | dec                 ecx
            //   4533650c             | arpl                bp, cx
            //   83ff0c               | dec                 esp
            //   0f8e06020000         | add                 ebx, eax

        $sequence_6 = { c6402163 c6402273 c6402373 c6402474 c6402572 c6402600 c640d873 }
            // n = 7, score = 100
            //   c6402163             | mov                 eax, dword ptr [esp + 0x30]
            //   c6402273             | cmp                 dword ptr [esp], eax
            //   c6402373             | jae                 0x1223
            //   c6402474             | mov                 eax, dword ptr [esp]
            //   c6402572             | add                 eax, 1
            //   c6402600             | mov                 dword ptr [esp], eax
            //   c640d873             | mov                 eax, dword ptr [esp + 0x30]

        $sequence_7 = { 7416 488d0c2f e8???????? 4883c704 448bd8 4c895e10 }
            // n = 6, score = 100
            //   7416                 | dec                 eax
            //   488d0c2f             | mov                 ecx, esi
            //   e8????????           |                     
            //   4883c704             | mov                 byte ptr [esp + 0x198], 0
            //   448bd8               | dec                 eax
            //   4c895e10             | lea                 edx, [0x1c931]

        $sequence_8 = { 89442434 8b4218 89442438 488b4220 4889442440 e8???????? 4c8d442420 }
            // n = 7, score = 100
            //   89442434             | dec                 eax
            //   8b4218               | mov                 eax, dword ptr [ebx]
            //   89442438             | jne                 0x1446
            //   488b4220             | inc                 ebp
            //   4889442440           | xor                 ecx, ecx
            //   e8????????           |                     
            //   4c8d442420           | inc                 ecx

        $sequence_9 = { 4883c304 8be8 85c0 75c5 448b742428 85ff 440f44742420 }
            // n = 7, score = 100
            //   4883c304             | lea                 edx, [edi + ebp]
            //   8be8                 | dec                 eax
            //   85c0                 | mov                 ecx, eax
            //   75c5                 | dec                 eax
            //   448b742428           | mov                 dword ptr [ebx + 8], eax
            //   85ff                 | dec                 ecx
            //   440f44742420         | mov                 ecx, esp

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules