Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a new backdoor based on open-source tools, dubbed GhostContainer. The previously unknown highly customized malware was discovered during an incident response (IR) case, targeting Exchange infrastructure within government environments. The malware may be part of an advanced persistent threat (APT) campaign targeting high-value entities in Asia, including high-tech companies.
The file detected by Kaspersky as App_Web_Container_1.dll turned out to be a sophisticated, multi-functional backdoor that leverages several open-source projects and can be dynamically extended with arbitrary functionality through additional module downloads.
Once loaded, it provides attackers with full control over the Exchange server, enabling a wide range of malicious activities. To avoid detection by security solutions, it uses several evasion techniques and presents itself as a legitimate server component to blend in with normal operations. In addition, it can act as a proxy or tunnel, potentially exposing the internal network to external threats or facilitating the exfiltration of sensitive data from internal systems. Therefore, сyber espionage is suspected to be the aim of the campaign.
“Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code. We will continue monitoring their activity, along with the scope and scale of these attacks, to gain a better understanding of the threat landscape,” comments Sergey Lozhkin, Head of GReAT, APAC & META.
At this time, it is not possible to attribute GhostContainer to any known threat actor group, as the attackers have not exposed any infrastructure. The malware incorporates code from several publicly accessible open-source projects, which could be leveraged by hackers or APT groups worldwide. Notably, by the end of 2024, a total of 14,000 malicious packages were identified in open-source projects — a 48% increase compared to the end of 2023 — highlighting the growing threat in this area.
