Kaspersky identifies new backdoor targeting Microsoft Exchange servers

GhostContainer leverages open-source tools

Kaspersky researchers have uncovered a new backdoor based on open-source tools, dubbed GhostContainer. It leverages open-source projects to evade detection and exfiltrate data, making cyber espionage the likely motive.

During a real-world incident response, the Kaspersky Global Research and Analysis Team (GReAT) uncovered a file, App_Web_Container_1.dll, disguised as a legitimate server component. The cloaked file deployed advanced evasion tactics, mimicking normal server operations to infiltrate Exchange infrastructure.

Researchers found that GhostContainer could also transform into a covert proxy or tunneling tool, potentially exposing an organization’s internal network to anyone who was interested. This capability not only puts sensitive data at risk of exfiltration but also creates a hidden pathway for external threats to exploit internal resources.

While investigators have not definitively linked GhostContainer to any particular threat actor or group, Kaspersky researchers believe cyber-espionage to be the main motivator fot those who created it.

Researchers noted that GhostContainer’s hallmarks—sophisticated Exchange manipulation and the adept use of open-source tools for infiltrating IIS and Exchange environments—point strongly to a focus on surveillance and information gathering.

“Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code,” commented Sergey Lozhkin, Head of GReAT, APAC & META.

As yet, the attackers have not exposed any infrastructure. The malware’s reliance on open-source code underscores a wider trend: by the end of 2024, researchers identified 14,000 malicious packages lurking in open-source projects—a 48% surge over the previous year, highlighting the expanding landscape of software supply chain threat.