Hackers Utilize GhostContainer Malware to Infiltrate Exchange Servers through Exploited N-day Vulnerabilities in the Wild
### Unveiling GhostContainer: A Sophisticated Malware Targeting Microsoft Exchange Servers
In a recent discovery, cybersecurity firm Kaspersky uncovered a new and advanced malware named GhostContainer, which is specifically designed to infiltrate Microsoft Exchange servers. This malware is known for its ability to provide attackers with comprehensive control over the server, enabling a wide range of malicious activities such as cyber espionage.
### Advanced Backdoor Capabilities
Once loaded, GhostContainer offers attackers full control over the server, enabling them to carry out various malicious activities. The backdoor can also be dynamically extended with additional modules, allowing it to adapt and expand its capabilities. Moreover, it can function as a proxy or tunnel, potentially exposing internal networks to external threats or facilitating data exfiltration.
### Evasion Techniques
To avoid detection, GhostContainer disguises itself as a legitimate server component, specifically as the file `App_Web_Container_1.dll`. Additionally, control commands are hidden within normal Exchange web requests, making it difficult to identify the malicious activity.
### Links to Known Vulnerabilities
GhostContainer exploits known N-day vulnerabilities to establish persistent access. While there is no specific mention of CVE-2020-0688 in the available reports, the malware's approach involves exploiting existing vulnerabilities without directly connecting to this particular CVE.
### Targets and Attribution
The malware has been identified targeting a key government agency and a high-tech company in Asia. However, attribution to specific threat actors or groups is challenging due to the use of open-source code and the lack of structural similarities with known malware.
### Key Features and Components
GhostContainer consists of three classes: Stub, App_Web_843e75cf5b63, and App_Web_8c9b251fb5b3. The malware's web proxy component, App_Web_8c9b251fb5b3, is based on the Neo-reGeorg tunneling tool. The App_Web_843e75cf5b63 class in GhostContainer employs a sophisticated virtual page injection mechanism.
The malware supports fourteen distinct command operations and has a multi-functional backdoor architecture. Its design specifically targets Exchange infrastructure within government environments. Unlike traditional malware campaigns, GhostContainer operates without establishing direct connections to external C2 infrastructure.
Current telemetry indicates that GhostContainer has successfully compromised at least two high-value targets: a key government agency and a high-tech company, both located in Asia. Attackers connect to compromised servers from outside networks, concealing control commands within legitimate Exchange web requests.
In summary, GhostContainer represents a significant threat to high-value organizations due to its sophistication, adaptability, and ability to blend in with legitimate server operations. Its evasion techniques and advanced capabilities make it challenging to detect and mitigate, underscoring the need for robust cybersecurity measures and regular updates to protect against such espionage-focused malware campaigns.
- The malware, GhostContainer, leverages technology to disguise itself as a legitimate server component, potentially bypassing traditional cybersecurity measures.
- With technology-driven adaptability, GhostContainer can extend its backdoor capabilities, functioning as a proxy or tunnel, posing a potential threat to internal networks and enabling data exfiltration.
