Kaspersky specialists discovered the new malware while investigating an incident related to attacks on Exchange infrastructure in the public sector. They noticed the file App_Web_Container_1.dll. It turned out to be a complex, multifunctional backdoor based on several open-source projects. The malware is capable of dynamically expanding and gaining new functionality by loading additional modules.
Installing the backdoor gives attackers complete control over the Exchange server, which opens up great opportunities for further illegitimate activity. At the same time, the malware uses various methods to avoid detection by protective measures and disguises itself as a server component to get lost among standard operations. The backdoor can act as a proxy server or tunnel, which exposes the company's entire internal network to external threats, and also creates the risk of confidential data leakage.
Sergey Lozhkin, Head of Kaspersky GReAT in APAC and META, said:
Our research has shown that the attackers are technically savvy: they understand Exchange system vulnerabilities and know how to create and improve sophisticated tools for espionage based on publicly available code. Although the first incidents were recorded in Asia, it is likely that attackers may use the detected malware in other regions as well.