GhostContainer: Kaspersky Uncovers Stealthy Backdoor Infiltrating Government & High-Tech Exchange Servers

In a recent incident response operation, Kaspersky Labs uncovered a highly sophisticated backdoor named GhostContainer, designed to infiltrate Microsoft Exchange infrastructure within government and high-tech environments in Asia. The malware exhibits advanced evasion, tunneling, and modularity capabilities, suggesting the work of a well-resourced APT group with deep knowledge of Exchange internals.

The intrusion likely began via exploitation of an N-day vulnerability, potentially CVE-2020-0688, which enables remote code execution on vulnerable Exchange servers. Once compromised, the attackers deployed a multi-functional backdoor cloaked under the name App_Web_Container_1.dll.

This 32.8 KB .NET assembly disguises itself as a legitimate Exchange component, embedding a full command-and-control (C2) framework into the web server workflow. Once loaded by the Exchange service, the malware’s Stub class initiates execution, parsing AES-encrypted commands sent via HTTP headers and executing shellcode, commands, or downloading additional payloads.

“Once loaded, the backdoor grants the attackers full control over the Exchange server… it can function as a proxy or tunnel, potentially exposing the internal network to external threats,” Kaspersky’s report reveals.

GhostContainer incorporates elements from multiple open-source tools:

• machinekeyfinder-aspx for encryption key generation.
• ExchangeCmdPy.py, which Kaspersky notes shares remarkable code similarity with the Stub class.
• PageLoad_ghostfile.aspx to create ghost pages in IIS, enabling stealthy payload execution.
• Neo-reGeorg, a well-known tunneling framework, repurposed as a covert web proxy and TCP tunnel.

This modular structure includes the classes:

• Stub – Handles AMSI bypass, command parsing, and C2 logic.
• App_Web_843e75cf5b63 – A virtual page injector enabling payloads to be executed through fake ASPX pages.
• App_Web_8c9b251fb5b3 – A tunneling and proxy module, capable of forwarding HTTP requests or creating long-lived socket connections.
• StrUtils – A utility library for string manipulation and XML parsing.

“The primary behavior of the module is focused on parsing requests the attacker sends to the fake web page… depending on custom HTTP headers, the malware establishes either a web proxy or a tunnel,” the report explains.

To avoid detection, GhostContainer disables the Antimalware Scan Interface (AMSI) and bypasses Windows Event Logging by directly modifying system DLL memory. It retrieves the machine’s ASP.NET validation key to perform AES encryption, ensuring that command and control data is not visible in plain traffic.

The attacker sends commands using the x-owa-urlpostdata header, which are decoded, decrypted, and then executed. Supported actions include:

• Executing shellcode
• Running arbitrary commands
• Uploading or downloading files
• Running .NET bytecode
• Performing HTTP requests
• Proxying or tunneling internal traffic to external destinations

Remarkably, no external C2 infrastructure has been identified. GhostContainer functions passively, waiting for the attacker to send requests directly to the Exchange server. This drastically reduces its detectability and prevents easy attribution.

“The GhostContainer backdoor does not establish a connection to any C2 infrastructure… their control commands are hidden within normal Exchange web requests,” the report disclosures.

So far, Kaspersky has identified only two confirmed victims: a key government agency and a high-tech company, both in Asia.

While the malware borrows from open-source tools, its customization and integration into Exchange reflect a mature and highly professional team. However, the absence of infrastructure exposure has made attribution difficult.

Related Posts:

• Earth Kasha Expands Operations: New LODEINFO Malware Hits Government and High-Tech
• DNS Tunneling: The Hidden Threat Exploited by Cyberattackers
• New Tunneling Protocol Vulnerabilities Expose 4.2 Million Hosts to Cyberattacks