Cybersecurity company Kaspersky has discovered a new backdoor malware called GhostContainer, which targets Microsoft Exchange servers. The malware was found during an incident response investigation involving a government system and may be part of a wider cyber espionage campaign in Asia.
Kaspersky researchers identified the file as App_Web_Container_1.dll, which turned out to be a complex backdoor built using multiple open-source tools. Once installed on a server, it gives attackers complete control, allowing them to perform various malicious actions.
The malware is designed to avoid detection by disguising itself as a legitimate server component. It can also function as a proxy or tunnel, creating a pathway for attackers to move data out of the system or let external threats into the internal network.
“Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code,” said Sergey Lozhkin, head of GReAT, APAC and META.
GhostContainer has not yet been linked to any known hacking group. Its use of code from several open-source projects makes it harder to trace and more accessible to a wide range of attackers. According to Kaspersky, 14,000 malicious packages were detected in open-source projects by the end of 2024, a 48% rise from 2023, reflecting the growing use of open-source code for cyberattacks.
To help organizations protect themselves, Kaspersky recommends several steps. These include giving security teams access to updated threat intelligence, providing training on handling targeted attacks, and using advanced detection tools such as Kaspersky Endpoint Detection and Response and the Kaspersky Anti Targeted Attack Platform. The company also advises regular security awareness training to reduce risks from phishing and other social engineering methods.
Follow Back End News on LinkedIn, Facebook, X, YouTube, and TikTok for updates and in-depth coverage across the tech and security landscape.