Edward Kiledjian's Threat Intel

GhostContainer backdoor targets Microsoft Exchange servers in stealth espionage campaign

A newly uncovered malware dubbed GhostContainer is targeting Microsoft Exchange servers at high-value organizations in Asia, enabling covert access and data exfiltration through known software vulnerabilities.

Discovered by Kaspersky’s Global Research and Analysis Team during a recent incident response, the campaign affected at least one major government agency and a leading technology firm. Investigators believe attackers exploited an existing deserialization flaw—likely CVE-2020-0688—to deploy a malicious DLL named App_Web_Container_1.dll, which masquerades as a legitimate Exchange component.

GhostContainer is a modular, multi-stage backdoor that grants operators full control over compromised servers. It integrates fragments of publicly available code, including Neo-reGeorg for tunnelling, ExchangeCmdPy.py for command execution, and machinekeyfinder-aspx for cryptographic key extraction. The malware supports in-memory shellcode execution, file manipulation, .NET bytecode loading and concurrent HTTP requests. It also functions as an internal proxy, bridging segmented environments with external command operations.

Commands are embedded within regular Exchange web traffic, allowing the malware to avoid direct outbound connections to command-and-control servers. This design enhances operational stealth and complicates detection.

To further evade scrutiny, GhostContainer bypasses Windows Event Logging and Microsoft’s Antimalware Scan Interface using memory overwrites. It dynamically loads modules mid-attack, allowing adversaries to adapt in real time.

Kaspersky analysts believe the campaign is cyberespionage-driven, noting the lack of ransomware or destructive elements. Attribution remains inconclusive due to reliance on open-source tools, though the attack’s precision suggests the work of an advanced persistent threat (APT) group.

An indicator of compromise (IOC) tied to this campaign includes the SHA-256 hash: 87a3aefb5cdf714882eb02051916371fbf04af2eb7a5ddeae4b6b441b2168e36

Security experts recommend organizations take the following steps immediately:

  • Patch known vulnerabilities in Microsoft Exchange.
  • Validate the integrity of all Exchange server modules.
  • Monitor internal web traffic for suspicious command patterns.
  • Deploy endpoint detection tools capable of spotting living-off-the-land techniques.