Kaspersky's Global Research and Analysis Team (GReAT) has discovered new software for covert remote control of an infected device. The GhostContainer backdoor is based on open-source tools. It is believed that the attackers' goal is cyber espionage.
Kaspersky specialists discovered the new malware during an investigation into an incident involving attacks on Exchange infrastructure in the public sector. They noticed the file App_Web_Container_1.dll. It turned out to be a complex, multifunctional backdoor based on several open-source projects. The malware is capable of dynamically expanding and gaining new functionality by loading additional modules.
Installing the backdoor gives attackers complete control over the Exchange server, which opens up great opportunities for further illegitimate activity. At the same time, the malware uses various methods to avoid detection by security tools and disguises itself as a server component to get lost among standard operations. The backdoor can act as a proxy server or tunnel, which exposes the entire internal network of the company to external threats, and also creates the risk of leakage of confidential data.
Sergey Lozhkin, Head of Kaspersky GReAT in APAC and META regions, said:
Our research has shown that the attackers are technically savvy: they understand the vulnerabilities of Exchange systems and know how to create and improve complex tools for espionage based on publicly available code. Although the first incidents were recorded in Asia, there is a possibility that attackers may use the detected malware in other regions as well.
