Redazione RHC : 3 August 2025 09:37
Kaspersky Lab specialists have discovered a new backdoor called GhostContainer, based on open-source tools. Researchers believe the appearance of this malware may be part of a sophisticated targeted campaign targeting large organizations in Asia, including high-tech companies. The attackers are presumably aiming for cyber espionage.
The malware was discovered in response to an incident involving attacks on Exchange infrastructure in the public sector. The researchers focused on the App_Web_Container_1.dll file, which turned out to be a complex, multifunctional backdoor based on several open-source projects. The malware can dynamically expand and acquire new functionality by loading additional modules.
Installing a backdoor gives attackers full control over the Exchange server, opening up numerous opportunities for further malicious activity. The malware uses various methods to evade detection and disguises itself as a server component to blend in with standard operations.
The backdoor can act as a proxy or tunnel server, which, according to experts, exposes the company’s entire internal network to external threats and also creates the risk of confidential data leakage.
“Our research has shown that attackers are highly technically skilled: they understand the vulnerabilities of Exchange systems and are capable of creating and improving complex espionage tools based on publicly available code.”
Kaspersky also added, “Although the first incidents were recorded in Asia, there is a possibility that attackers could use the malware discovered in other regions. While there is currently insufficient information to attribute GhostContainer to a known group, we will continue to monitor the backdoor’s activity to better understand the threat landscape,” comments Sergey Lozhkin, GReAT head for the APAC and META regions.
Redazione