Kaspersky Finds New Backdoor Targeting Microsoft Exchange Server

JAKARTA - The Kaspersky Global Research and Analysis Team (GREAT) has revealed a new open source software-based backdoor, dubbed GhostContainer.

The previously unknown and highly customized malware was found in an incident response (IR) case, which targets Exchange infrastructure in the government ecosystem.

"Our in-depth analysis reveals that the attackers are very skilled at exploiting the Exchange system and utilizing various open source projects," said Sergey Lozhkin, Head of GREAT, APAC & META.

Malware is likely part of a advanced persistent threat campaign (APT) targeting high-value entities in Asia, including high-tech companies.

Once loaded, this backdoor gives the attacker full control over the Exchange server, which allows for a variety of malicious activity.

To avoid detection by security solutions, GhostContainer uses several avoidance techniques and features itself as a legitimate server component for mingling with normal operations.

Salah itu, GhostContainer dapat bertindak sebagai proksi atau tunnel, yang berpotensi membukakan jaringan internal terhadap ancaman eksternal atau memfasilitasi eksfiltrasi data sensitif dari sistem internal. Oleh karena itu, pembijasi siber diduga menjadi tujuan kampanye ini.

But unfortunately, at this time, GhostContainer has not been able to be linked to any group of threat actors, as attackers have not exposed any infrastructure.

"We will continue to monitor their activities, along with the coverage and scale of these attacks, to get a better understanding of the threat landscape." he added.