SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lightneuron (Back to overview)

LightNeuron

aka: NETTRANS, XTRANS

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-06-20SymantecSymantec DeepSight Adversary Intelligence Team, Symantec Network Protection Security Labs
@online{team:20190620:waterbug:9c50dd1, author = {Symantec DeepSight Adversary Intelligence Team and Symantec Network Protection Security Labs}, title = {{Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments}}, date = {2019-06-20}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments}, language = {English}, urldate = {2020-01-13} } Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
LightNeuron
2019-05-07ESET ResearchMatthieu Faou
@online{faou:20190507:turla:0300283, author = {Matthieu Faou}, title = {{Turla LightNeuron: An email too far}}, date = {2019-05-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/}, language = {English}, urldate = {2019-11-14} } Turla LightNeuron: An email too far
LightNeuron
2019-05ESET ResearchMatthieu Faou
@techreport{faou:201905:turla:5a8a05f, author = {Matthieu Faou}, title = {{TURLA LIGHTNEURON: One email away from remote code execution}}, date = {2019-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf}, language = {English}, urldate = {2020-01-08} } TURLA LIGHTNEURON: One email away from remote code execution
LightNeuron
2018-07-10Kaspersky LabsGReAT
@online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } APT Trends Report Q2 2018
LightNeuron PoorWeb
Yara Rules
[TLP:WHITE] win_lightneuron_auto (20230125 | Detects win.lightneuron.)
rule win_lightneuron_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lightneuron."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8bd8 85c0 757b 4c8d87b8000000 488d542430 488d4c2448 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bd8                 | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x158], eax
            //   757b                 | mov                 dword ptr [esp + 0x140], ebx
            //   4c8d87b8000000       | test                eax, eax
            //   488d542430           | mov                 dword ptr [esp + 0x148], 1
            //   488d4c2448           | dec                 eax

        $sequence_1 = { f3c3 4885c9 0f84d2000000 48895c2408 57 4883ec20 0fb6fa }
            // n = 7, score = 100
            //   f3c3                 | mov                 esp, dword ptr [esp + 0x58]
            //   4885c9               | dec                 eax
            //   0f84d2000000         | mov                 edi, dword ptr [esp + 0x60]
            //   48895c2408           | dec                 eax
            //   57                   | mov                 ecx, edi
            //   4883ec20             | mov                 esi, eax
            //   0fb6fa               | lea                 ecx, [eax + 1]

        $sequence_2 = { 7815 488d8c24c8000000 4c8bc3 498bd5 e8???????? eb10 488d8c24c8000000 }
            // n = 7, score = 100
            //   7815                 | dec                 eax
            //   488d8c24c8000000     | sub                 ecx, 1
            //   4c8bc3               | jne                 0x1f6
            //   498bd5               | dec                 ecx
            //   e8????????           |                     
            //   eb10                 | mov                 eax, ebp
            //   488d8c24c8000000     | dec                 ebp

        $sequence_3 = { 4883c210 4881fa00040000 418b848ec0ed0300 42898432b0e50300 418b848ec0e90300 42898432b0e10300 418b848e80d90300 }
            // n = 7, score = 100
            //   4883c210             | dec                 ebp
            //   4881fa00040000       | mov                 esp, eax
            //   418b848ec0ed0300     | dec                 eax
            //   42898432b0e50300     | mov                 dword ptr [esp + 0x20], edi
            //   418b848ec0e90300     | inc                 ecx
            //   42898432b0e10300     | push                esp
            //   418b848e80d90300     | dec                 eax

        $sequence_4 = { 448b4b28 4183d200 450fb7c1 41c1e910 418bd1 418bc8 440fafce }
            // n = 7, score = 100
            //   448b4b28             | jge                 0x15b5
            //   4183d200             | dec                 eax
            //   450fb7c1             | mov                 ecx, dword ptr [esp + 0x58]
            //   41c1e910             | dec                 eax
            //   418bd1               | test                ecx, ecx
            //   418bc8               | je                  0x1584
            //   440fafce             | dec                 eax

        $sequence_5 = { 85c0 790a 488bcd e8???????? eb49 448b442460 488bd5 }
            // n = 7, score = 100
            //   85c0                 | sub                 ebx, 4
            //   790a                 | shl                 edx, 8
            //   488bcd               | or                  edx, eax
            //   e8????????           |                     
            //   eb49                 | movsx               eax, byte ptr [edi + 4]
            //   448b442460           | shl                 eax, 0x18
            //   488bd5               | shl                 edx, 8

        $sequence_6 = { 895c2420 ba94000000 448bc0 4533c9 b900001000 e8???????? b801000000 }
            // n = 7, score = 100
            //   895c2420             | inc                 esp
            //   ba94000000           | mov                 eax, dword ptr [edi + 0x8c]
            //   448bc0               | inc                 ebp
            //   4533c9               | xor                 ecx, ecx
            //   b900001000           | test                eax, eax
            //   e8????????           |                     
            //   b801000000           | jle                 0x159b

        $sequence_7 = { 89742420 e8???????? 4533c9 4533c0 8bd3 b991010000 4889742420 }
            // n = 7, score = 100
            //   89742420             | inc                 ecx
            //   e8????????           |                     
            //   4533c9               | cmove               eax, esp
            //   4533c0               | mov                 dword ptr [esp + 0x58], eax
            //   8bd3                 | mov                 dword ptr [esp + 0x68], eax
            //   b991010000           | test                ebx, ebx
            //   4889742420           | jne                 0x1d90

        $sequence_8 = { e9???????? 498bce ff15???????? 4533c9 4533c0 baaa000000 b900001000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   498bce               | mov                 dword ptr [esp + 0x28], esi
            //   ff15????????         |                     
            //   4533c9               | inc                 esp
            //   4533c0               | mov                 eax, dword ptr [edi + 0x8e8]
            //   baaa000000           | inc                 ebp
            //   b900001000           | xor                 ecx, ecx

        $sequence_9 = { 488b5c2468 4883c430 415d 415c 5e c3 803930 }
            // n = 7, score = 100
            //   488b5c2468           | mov                 eax, 0x10
            //   4883c430             | dec                 eax
            //   415d                 | lea                 edx, [0x1c9f7]
            //   415c                 | dec                 eax
            //   5e                   | mov                 ecx, esi
            //   c3                   | dec                 eax
            //   803930               | mov                 ecx, esi

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules