SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lightneuron (Back to overview)

LightNeuron

aka: NETTRANS, XTRANS

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-06-20SymantecSymantec DeepSight Adversary Intelligence Team, Symantec Network Protection Security Labs
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
LightNeuron
2019-05-07ESET ResearchMatthieu Faou
Turla LightNeuron: An email too far
LightNeuron
2019-05-01ESET ResearchMatthieu Faou
TURLA LIGHTNEURON: One email away from remote code execution
LightNeuron
2018-07-10Kaspersky LabsGReAT
APT Trends Report Q2 2018
LightNeuron PoorWeb
Yara Rules
[TLP:WHITE] win_lightneuron_auto (20230808 | Detects win.lightneuron.)
rule win_lightneuron_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lightneuron."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d8c2434010000 33d2 41b800010000 89b42430010000 e8???????? 488bcf }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d8c2434010000     | inc                 ebx
            //   33d2                 | movzx               eax, byte ptr [edx + 0x3a540]
            //   41b800010000         | shl                 eax, 8
            //   89b42430010000       | shl                 esi, 8
            //   e8????????           |                     
            //   488bcf               | xor                 esi, eax

        $sequence_1 = { 0f4ed9 3bc5 770b 3beb 7707 b801000000 eb02 }
            // n = 7, score = 100
            //   0f4ed9               | cmp                 ebx, dword ptr [ebx]
            //   3bc5                 | jl                  0x18cd
            //   770b                 | xor                 ecx, ecx
            //   3beb                 | cmp                 dword ptr [ebx], ecx
            //   7707                 | jle                 0x1920
            //   b801000000           | dec                 eax
            //   eb02                 | lea                 edx, [ebx + 4]

        $sequence_2 = { 85d2 7e24 488b8f80000000 e8???????? 488b8f80000000 4885c9 740c }
            // n = 7, score = 100
            //   85d2                 | add                 eax, 0x20
            //   7e24                 | jle                 0xb8f
            //   488b8f80000000       | inc                 ebp
            //   e8????????           |                     
            //   488b8f80000000       | xor                 ecx, ecx
            //   4885c9               | inc                 ebp
            //   740c                 | xor                 eax, eax

        $sequence_3 = { e8???????? 8bf0 85c0 7502 893b 85f6 754c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 ecx, ebx
            //   85c0                 | dec                 eax
            //   7502                 | mov                 ebx, dword ptr [esp + 0x30]
            //   893b                 | dec                 eax
            //   85f6                 | mov                 esi, dword ptr [esp + 0x38]
            //   754c                 | dec                 eax

        $sequence_4 = { 4503c1 453bc1 4183d200 4403c0 443bc0 45894304 }
            // n = 6, score = 100
            //   4503c1               | xor                 al, byte ptr [esp + edx + 0x37]
            //   453bc1               | dec                 eax
            //   4183d200             | inc                 edx
            //   4403c0               | inc                 ecx
            //   443bc0               | cmp                 eax, 2
            //   45894304             | jl                  0x1b23

        $sequence_5 = { 448bc3 e8???????? 448bc3 33d2 498bcd e8???????? 498bcd }
            // n = 7, score = 100
            //   448bc3               | cmp                 dword ptr [eax], 0
            //   e8????????           |                     
            //   448bc3               | dec                 eax
            //   33d2                 | test                eax, eax
            //   498bcd               | je                  0x3b8
            //   e8????????           |                     
            //   498bcd               | mov                 eax, dword ptr [ebx + 0x10]

        $sequence_6 = { 4c0f45c0 488b05???????? 4885c0 480f45d0 488d442448 4889442430 4c896c2428 }
            // n = 7, score = 100
            //   4c0f45c0             | test                eax, eax
            //   488b05????????       |                     
            //   4885c0               | dec                 esp
            //   480f45d0             | sub                 ebx, dword ptr [esp + 0x28]
            //   488d442448           | dec                 esp
            //   4889442430           | add                 ebx, dword ptr [esp + 0x20]
            //   4c896c2428           | jne                 0x9b0

        $sequence_7 = { 488bd0 498bcc e8???????? 4d8b0c24 458b44240c 33d2 }
            // n = 6, score = 100
            //   488bd0               | mov                 eax, edx
            //   498bcc               | shr                 edx, 0x18
            //   e8????????           |                     
            //   4d8b0c24             | mov                 byte ptr [esp + 0x5f], dl
            //   458b44240c           | shr                 eax, 0x10
            //   33d2                 | mov                 byte ptr [esp + 0x5e], al

        $sequence_8 = { 48895c2428 89442420 e8???????? 448b05???????? 4533c9 ba9d010000 b900001000 }
            // n = 7, score = 100
            //   48895c2428           | dec                 eax
            //   89442420             | mov                 edx, dword ptr [esi + 0x50]
            //   e8????????           |                     
            //   448b05????????       |                     
            //   4533c9               | dec                 eax
            //   ba9d010000           | test                edx, edx
            //   b900001000           | je                  0xe76

        $sequence_9 = { 4533c9 4533c0 babf000000 b900001000 48895c2428 89442420 e8???????? }
            // n = 7, score = 100
            //   4533c9               | dec                 eax
            //   4533c0               | test                eax, eax
            //   babf000000           | jne                 0x1a15
            //   b900001000           | dec                 eax
            //   48895c2428           | mov                 ecx, edi
            //   89442420             | dec                 eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules