Kaspersky’s Global Research and Analysis Team (GReAT) has recently identified a new form of backdoor malware known as GhostContainer, which is constructed using open-source tools. This sophisticated malware is unprecedented and was uncovered during an incident response involving government systems utilizing Microsoft Exchange.
GhostContainer is believed to be associated with a persistent threat (APT) campaign targeting key organizations across the Asia region, including significant technology firms. The malicious file identified by Kaspersky, named App_Web_Container_1.dll, functions as a multi-functional backdoor that can be augmented through the remote downloading of additional modules. Its design employs numerous open source projects, meticulously customized to evade detection.
Once GhostContainer is executed on a system, it allows hackers to gain complete control over the Exchange server. From this access, they can conduct various dangerous actions without the user’s awareness. Notably, the malware masquerades as a legitimate server component and employs advanced techniques to evade antivirus detection and bypass security monitoring.
Additionally, GhostContainer has the capability to function as a proxy server or create an encrypted tunnel, enabling hackers to infiltrate internal systems or extract sensitive information. Given these operational methods, experts suggest that the primary intent behind this campaign might be cyber espionage.
Sergey Lozhkin, Head of the Global Research and Analysis Team for Asia Pacific, the Middle East, and Africa at Kaspersky, emphasized the attackers’ expertise in breaching Microsoft Exchange server systems. They employ a range of open source tools to infiltrate IIS and Exchange environments, and they develop sophisticated spying tools based on publicly available open source code. Kaspersky continues to monitor the group’s activities to better assess the overall threat landscape.
To mitigate the risk of falling prey to targeted attacks from both known and emerging cybercriminals, Kaspersky experts recommend the following strategies for businesses:
- Equip security operations teams (SOC) with the latest threat intelligence. The Kaspersky Threat Intelligence platform aggregates two decades’ worth of cyberattack data and insights.
- Enhance the skills of cybersecurity personnel through Kaspersky’s online training programs, developed by GReAT experts, to prepare them for new threats.
- Implement enterprise-grade security solutions like the Kaspersky Anti Targeted Attack Platform, designed to detect complex attacks that may be occurring within the system without detection.