GhostContainer Malware Hacking Exchange Servers in the Wild Using N-day Vulnerability

A highly sophisticated malware campaign targeting Microsoft Exchange servers in government and high-tech organizations across Asia. 

The malware, dubbed GhostContainer, exploits known N-day vulnerabilities to establish persistent backdoor access to critical infrastructure.

Key Takeaways
1. GhostContainer uses CVE-2020-0688 vulnerability to create persistent backdoors.
2. Three-stage architecture enables web proxy, tunneling, and stealth operations within legitimate Exchange traffic.
3. APT campaign compromised government agencies and tech companies across Asia.

Advanced Backdoor Capabilities and Evasion Techniques

Kaspersky reports that the GhostContainer malware (App_Web_Container_1.dll, SHA256: 87a3aefb5cdf714882eb02051916371fbf04af2eb7a5ddeae4b6b441b2168e36) demonstrates remarkable technical sophistication through its multi-functional backdoor architecture. 

The malware employs a three-class structure consisting of Stub, App_Web_843e75cf5b63, and App_Web_8c9b251fb5b3, each serving distinct operational purposes.

To evade detection, the malware immediately attempts to bypass AMSI (Antimalware Scan Interface) and Windows Event Log by overwriting specific addresses in amsi.dll and ntdll.dll. 

The backdoor utilizes the Exchange server’s ASP.NET validation key, retrieved from machine configuration and hashed using SHA-256 to create a 32-byte AES encryption key for secure command and control communications.

The malware supports fourteen distinct command operations, including shellcode execution, file manipulation, .NET bytecode loading, and HTTP POST requests to multiple URLs concurrently. 

Each command generates XML-formatted responses containing the hardcoded string /wEPDwUKLTcyODc4, which researchers have linked to the open-source ExchangeCmdPy.py exploitation tool.

GhostContainer Leverages Exchange Flaw (CVE-2020-0688)

Analysis reveals that GhostContainer leverages multiple open-source projects, particularly code similarities with ExchangeCmdPy.py, suggesting exploitation of CVE-2020-0688, a deserialization vulnerability in Exchange servers. 

The attack employs a sophisticated virtual page injection mechanism through the App_Web_843e75cf5b63 class, which creates ghost pages using VirtualProvider classes to bypass file system checks.

The malware’s web proxy component, App_Web_8c9b251fb5b3, is based on the Neo-reGeorg tunneling tool and processes requests through custom headers: Qprtfva for proxy forwarding and Dzvvlnwkccf for socket communication. 

This dual-functionality enables both web proxy operations and long-lived TCP tunnel establishment between internal networks and external command infrastructure.

Current telemetry indicates that GhostContainer has successfully compromised at least two high-value targets: a key government agency and a high-tech company, both located in Asia. 

The malware’s design specifically targets Exchange infrastructure within government environments, suggesting a focused APT campaign against critical national infrastructure.

Unlike traditional malware campaigns, GhostContainer operates without establishing direct connections to external C2 infrastructure.

GhostContainer C2 Commands and Functionality

Instead, attackers connect to compromised servers from outside networks, concealing control commands within legitimate Exchange web requests. 

The sophisticated nature of the attack, combined with the malware’s ability to function as both a backdoor and network tunnel, indicates the involvement of a highly skilled and professional threat actor with a deep understanding of Exchange systems and web service operations.

GhostContainer Indicators of Compromise (IoC)

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now