Home Malware Programs Malware Neuron

Neuron

Posted: October 22, 2019

Neuron is a backdoor Trojan that's in use by the APT34 and Turla threat actors. Neuron provides general, long-term persistence and control capabilities for letting the attacker spy on the target, and launch attacks against other entities. Appropriate server and network security standards will mitigate infection attempts, and only a Windows anti-malware product should uninstall Neuron, in most circumstances.

Neurons Lighting Up in Unexpected Places

Neuron, a Trojan found in the hands of the AP34 Iranian threat actor initially, is getting new administrators – the Russian Turla group. Although the Turla group is mainly well known for its campaigns versus the United Kingdom, it also can target other hacking organizations, such as APT34, from whom it misappropriated both Neuron and Nautilus. The invasion coincides with Turla's having access to APT34's C&C structure, proving them with global reach and associated intelligence.

Neuron is a .NET Framework Trojan for Windows machines that malware experts observe on targets such as Web and e-mail servers. It can modify the system via commands from its admin, retrieve files, and perform proxy operations. Its use in Turla's case is for assisting the threat actor's takeover of server resources, both for intelligence-gathering activities and using them as staging grounds for other attacks.

However, these hackers are doing more than deploying a misappropriated tool. Neuron also is getting updates from Turla, with some patches arriving as soon as five days after provoking countermeasures from the AV industry. Malware experts speculate that this could lead to significant forks in different builds of Neuron since APT34 also retains possession of it. The changes emphasize altering symptoms of infections and internal encryption, for keeping Neuron from being detectable.

Scattering Neurons before They Coordinate Thoughts

The distribution model for Turla and Neuron is consistent relatively. Neuron never is the first-stage drop; most incidents involve Neuron's deployment by another threat, such as the Snake rootkit. Rootkits are exceptionally invasive in their persistence mechanisms, although many threat actors are abandoning them out of a preference for less-detectable alternatives. The Snake Rootkit also provides similar functionality for compromising and exploiting networks, including collecting information.

Whether Neuron is a 'backup' for the Snake Rootkit or something else entirely, and whether or not its admin is an Iranian criminal or a Russian one, it constitutes a high-level threat to your server's security. Admins should be well-versed on password and credential management, monitor vulnerabilities such as firewall rulesets and port openings, and turn off RDP whenever possible. Abiding by the 'principle of least privilege' for user accounts can also reduce vulnerabilities.

Thanks to Turla's developmental changes, indicators of compromise for Neuron infections are prone to rotating between attacks. Users can establish safety for Windows systems with appropriate anti-malware programs kept up-to-date for removing Neuron on sight.

Arriving with the help of a snakebite, and after being misappropriated from elsewhere, Neuron has a storied history, for a backdoor Trojan. However, what it does isn't very different from SHUTTERSPEED or Ketrican– and just as threatening.

Related Posts

Loading...