A sophisticated cyber espionage campaign has been identified, targeting Microsoft Exchange servers within government and high-tech organizations across Asia. The malware, known as GhostContainer, exploits known vulnerabilities to establish persistent backdoor access, posing significant threats to critical infrastructure.
Advanced Backdoor Capabilities and Evasion Techniques
GhostContainer demonstrates remarkable technical sophistication through its multi-functional backdoor architecture. The malware employs a three-class structure consisting of Stub, App_Web_843e75cf5b63, and App_Web_8c9b251fb5b3, each serving distinct operational purposes.
To evade detection, GhostContainer immediately attempts to bypass the Antimalware Scan Interface (AMSI) and Windows Event Log by overwriting specific addresses in amsi.dll and ntdll.dll. The backdoor utilizes the Exchange server’s ASP.NET validation key, retrieved from machine configuration and hashed using SHA-256 to create a 32-byte AES encryption key for secure command and control communications.
The malware supports fourteen distinct command operations, including shellcode execution, file manipulation, .NET bytecode loading, and HTTP POST requests to multiple URLs concurrently. Each command generates XML-formatted responses containing the hardcoded string /wEPDwUKLTcyODc4, which researchers have linked to the open-source ExchangeCmdPy.py exploitation tool.
Exploitation of Exchange Vulnerability (CVE-2020-0688)
Analysis reveals that GhostContainer leverages multiple open-source projects, particularly code similarities with ExchangeCmdPy.py, suggesting exploitation of CVE-2020-0688, a deserialization vulnerability in Exchange servers. The attack employs a sophisticated virtual page injection mechanism through the App_Web_843e75cf5b63 class, which creates ghost pages using VirtualProvider classes to bypass file system checks.
The malware’s web proxy component, App_Web_8c9b251fb5b3, is based on the Neo-reGeorg tunneling tool and processes requests through custom headers: Qprtfva for proxy forwarding and Dzvvlnwkccf for socket communication. This dual-functionality enables both web proxy operations and long-lived TCP tunnel establishment between internal networks and external command infrastructure.
Targeted Organizations and Operational Tactics
Current telemetry indicates that GhostContainer has successfully compromised at least two high-value targets: a key government agency and a high-tech company, both located in Asia. The malware’s design specifically targets Exchange infrastructure within government environments, suggesting a focused Advanced Persistent Threat (APT) campaign against critical national infrastructure.
Unlike traditional malware campaigns, GhostContainer operates without establishing direct connections to external command and control (C2) infrastructure. Instead, it utilizes the compromised Exchange servers to relay commands and exfiltrate data, blending malicious activities with legitimate server traffic to evade detection.
Command and Control Functionality
GhostContainer’s backdoor supports a range of commands, including:
– Retrieving system architecture type
– Executing shellcode
– Running command-line instructions
– Loading .NET bytecode
– Performing HTTP GET requests
– Downloading and saving files
– Saving raw data to files
– Deleting files
– Reading file contents
– Executing .NET assemblies
These capabilities enable the attackers to maintain control over the compromised servers, execute arbitrary code, and exfiltrate sensitive information.
Broader Context of Exchange Server Exploitation
The exploitation of Microsoft Exchange servers is not an isolated incident. In recent years, multiple threat actors have targeted Exchange vulnerabilities to deploy various forms of malware, including backdoors and ransomware.
For instance, in 2021, the Hafnium group exploited zero-day vulnerabilities in Exchange servers, leading to widespread data breaches. Similarly, the Turla hacking group targeted Exchange servers with the DeliveryCheck backdoor, turning them into command and control centers for further attacks.
These incidents underscore the critical need for organizations to promptly apply security patches and implement robust monitoring to detect and mitigate such sophisticated threats.
Recommendations for Mitigation
To defend against threats like GhostContainer, organizations should:
– Regularly update and patch Exchange servers to address known vulnerabilities.
– Implement network segmentation to limit the spread of malware.
– Monitor server logs for unusual activities indicative of compromise.
– Employ advanced threat detection solutions capable of identifying sophisticated malware.
– Conduct regular security audits and penetration testing to identify and remediate potential weaknesses.
By adopting these measures, organizations can enhance their resilience against advanced persistent threats targeting critical infrastructure.
