Cybersecurity researchers at Kaspersky’s research unit SecureList have unveiled the emergence of a sophisticated malware named GhostContainer, actively targeting Microsoft Exchange servers in high-value organizations across Asia. This newly discovered backdoor provides attackers with extensive control over compromised systems, enabling a range of malicious activities that may include data exfiltration.
GhostContainer is a multi-functional backdoor masquerading as a normal server component. Delivered as a file named ‘App_Web_Container_1.dll’ with a size of 32.8 KB, the malware’s core functionalities can be extended via additional downloadable modules. Researchers suggest that attackers likely exploited a known vulnerability in Exchange servers to gain initial access, utilizing an unpatched N-day vulnerability as their entry point.
A significant element of GhostContainer is its ‘Stub’ class, which functions as a command and control (C2) parser capable of executing shellcode, downloading files, and running commands, while also attempting to bypass antimalware protocols. Furthermore, data exchanged between the attackers and the compromised servers is encrypted using AES, with encryption keys derived from the ASP.NET validation key.
The malware has also been identified as part of an Advanced Persistent Threat (APT) campaign, with key targets including a government agency and a technology firm situated in Asia. Instead of relying on traditional C2 infrastructures, the attackers control the compromised servers by embedding commands within standard Exchange web requests, complicating detection and analysis.
In light of these findings, organizations are urged to implement all available security updates and patches for Exchange servers promptly in order to protect themselves against such vulnerabilities.