New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia

Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration.

****Understanding GhostContainer****

GhostContainer is a multi-functional backdoor designed to evade detection by mimicking standard server components. It is delivered as a file named ‘App_Web_Container_1.dll’ and has a file size of 32.8 KB. Its core functionality is extended through additional downloadable modules. The researchers indicate that the attackers likely exploited a known, unpatched vulnerability (N-day vulnerability) in Exchange servers to gain initial access.

Source: SecureList

A key component of GhostContainer is the ‘Stub’ class, which acts as a command and control (C2) parser. It can execute shellcode, download files, run commands, and load extra .NET byte code. Particularly, the Stub class attempts to bypass Antimalware Scan Interface (AMSI) and Windows Event Log by overwriting specific addresses, further aiding in its stealth.

Researchers identified that data transferred between the attackers and the server is protected using AES encryption, with the key derived from the ASP.NET validation key. The malware’s capabilities include getting system architecture, running shell code, executing command lines, and managing files.

****Sophisticated Features and Open-Source Roots****

GhostContainer also includes a ‘virtual page injector’ class (App_Web_843e75cf5b63) that creates ghost pages to bypass file checks and load a .NET reflection loader. This loader then activates the web proxy class (App_Web_8c9b251fb5b3), a central element of the malware. This web proxy component possesses capabilities for web proxying, socket forwarding, and covert communication.

SecureList’s investigation also revealed that the attackers leveraged several open-source projects to build GhostContainer. For instance, the Stub class appears to be based on ExchangeCmdPy.py, an open-source tool for exploiting the Exchange vulnerability CVE-2020-0688.

Similarly, the virtual page injector utilizes code from ‘PageLoad_ghostfile.aspx,’ and the web proxy component is a customized version of ‘Neo-reGeorg,’ another open-source project. This blend of public tools with custom modifications showcases the attackers’ advanced skills.

****Targeting High-Value Organizations****

Telemetry data gathered by the researchers suggests that GhostContainer is part of an Advanced Persistent Threat (APT) campaign. The identified victims so far include a key government agency and a high-tech company, both situated in Asia.

The attackers do not rely on a traditional C2 infrastructure; instead, they control the compromised server by embedding commands within regular Exchange web requests. This approach makes it challenging to identify their specific IP addresses or domains.

The investigation into the full scope of these attack activities is ongoing. Meanwhile, organizations should act swiftly and immediately apply all available security updates and patches for Exchange servers and other software to close known vulnerabilities.