Experts from Kaspersky Lab have discovered a new backdoor, GhostContainer, which operates on open-source tools. Researchers believe that the emergence of this malware may be part of a sophisticated targeted campaign aimed at large organizations in Asia, including high-tech enterprises. The attackers are presumably focused on cyber espionage.
The malware was discovered during the response to an incident related to attacks on Exchange infrastructure in the public sector. Researchers took note of the file App_Web_Container_1.dll, which turned out to be a complex, multifunctional backdoor based on several open-source projects.
The malware is capable of dynamically expanding and acquiring new functionality by loading additional modules.
The installation of the backdoor gives attackers full control over the Exchange server, which opens up significant possibilities for further malicious activity. The malware employs various methods to evade detection and disguises itself as a server component to blend in with standard operations.
The backdoor is capable of functioning as a proxy server or tunnel, which, according to experts, exposes the entire internal network of a company to external threats, as well as creating a risk of confidential data leakage.
“Our research has shown that the attackers are technically well-versed: they understand the vulnerabilities of Exchange systems and are capable of creating and refining complex spying tools based on publicly available code. Although the first incidents were recorded in Asia, there is a possibility that the attackers could use the discovered malware in other regions. While there is not enough information to attribute GhostContainer to any known group at this time, we will continue to monitor the backdoor’s activity to better understand the cyber threat landscape,” comments Sergey Lozhkin, head of GReAT in the APAC and META regions.