GhostContainer: New vulnerability attacks Microsoft Exchange servers via backdoor malware

According to Kaspersky, it is not yet possible to assign responsibility to any hacker group because the attackers did not show any signs of penetrating any infrastructure.

The GReAT team discovered the malware during incident response efforts at government systems that used Microsoft Exchange. GhostContainer is believed to be part of a sophisticated and persistent advanced persistent threat (APT) campaign targeting key organizations in the Asia region, including major technology companies.

The malicious file discovered by Kaspersky, called App_Web_Container_1.dll, is actually a multi-functional backdoor that can be extended by downloading additional modules remotely. The malware takes advantage of many open source projects and is sophisticatedly customized to avoid detection.

Kaspersky photo 1 - GhostContainer discovered Kaspersky identifies a new backdoor targeting Microsoft Exchange servers.jpg

Once GhostContainer is successfully installed on a system, hackers can easily gain complete control of the Exchange server, from which they can perform a series of dangerous actions without the user's knowledge. This malware is cleverly disguised as a valid server component and uses many surveillance evasion techniques to avoid detection by antivirus software and bypass security monitoring systems.

In addition, this malware can act as an intermediary server (proxy) or an encrypted tunnel (tunnel), creating loopholes for hackers to penetrate internal systems or steal sensitive information. Looking at this way of operating, experts suspect that the main purpose of this campaign is most likely cyber espionage.

“Our in-depth analysis shows that the perpetrators are highly proficient in penetrating Microsoft Exchange servers. They leverage a variety of open source tools to penetrate IIS and Exchange environments, and have developed sophisticated spying tools based on available open source code. We will continue to monitor the group’s activities, as well as the scope and severity of their attacks, to better understand the overall threat landscape,” said Sergey Lozhkin, Head of the Global Research and Analysis Team (GReAT) for Asia Pacific and Middle East and Africa at Kaspersky.

GhostContainer uses code from multiple open source projects, making it highly vulnerable to cybercriminal groups or APT campaigns anywhere in the world . Notably, by the end of 2024, a total of 14,000 malware packages were detected in open source projects, up 48% from the end of 2023. This number shows that the level of risk is increasing in the field.

BINH LAM

Source: https://www.sggp.org.vn/ghostcontainer-lo-hong-moi-tan-cong-may-chu-microsoft-exchange-thong-qua-ma-doc-backdoor-post805372.html

Tag: APT malware open source GREAT Kaspersky

Comment (0)

Top Interests

Newest

No data