Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a new backdoor based on open-source tools, dubbed GhostContainer. The previously unknown highly customized malware was discovered during an incident response (IR) case, targeting Exchange infrastructure within government environments. The malware may be part of an advanced persistent threat (APT) campaign targeting high-value entities in Asia, including high-tech companies.
The file detected by Kaspersky as App_Web_Container_1.dll turned out to be a sophisticated, multi-functional backdoor that leverages several open-source projects and can be dynamically extended with arbitrary functionality through additional module downloads.
Once loaded, it provides attackers with full control over the Exchange server, enabling a wide range of malicious activities. To avoid detection by security solutions, it uses several evasion techniques and presents itself as a legitimate server component to blend in with normal operations. In addition, it can act as a proxy or tunnel, potentially exposing the internal network to external threats or facilitating the exfiltration of sensitive data from internal systems. Therefore, сyber espionage is suspected to be the aim of the campaign.
“Our in-depth analysis revealed that the attackers are highly skilled at exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange environments, as well as creating and enhancing sophisticated espionage tools based on publicly available code. We will continue monitoring their activity, along with the scope and scale of these attacks, to gain a better understanding of the threat landscape.” comments Sergey Lozhkin, Head of GReAT, APAC & META.
At this time, it is not possible to attribute GhostContainer to any known threat actor group, as the attackers have not exposed any infrastructure. The malware incorporates code from several publicly accessible open-source projects, which could be leveraged by hackers or APT groups worldwide. Notably, by the end of 2024, a total of 14,000 malicious packages were identified in open-source projects — a 48% increase compared to the end of 2023 — highlighting the growing threat in this area.
Read the full report on Securelist.com
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
-
As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure and governments around the globe. The company’s comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
