A extremely refined malware marketing campaign concentrating on Microsoft Trade servers in authorities and high-tech organizations throughout Asia.
The malware, dubbed GhostContainer, exploits identified N-day vulnerabilities to ascertain persistent backdoor entry to crucial infrastructure.
Key Takeaways1. GhostContainer makes use of CVE-2020-0688 vulnerability to create persistent backdoors.2. Three-stage structure allows internet proxy, tunneling, and stealth operations inside respectable Trade site visitors.3. APT marketing campaign compromised authorities businesses and tech corporations throughout Asia.
Superior Backdoor Capabilities and Evasion Methods
Kaspersky experiences that the GhostContainer malware (App_Web_Container_1.dll, SHA256: 87a3aefb5cdf714882eb02051916371fbf04af2eb7a5ddeae4b6b441b2168e36) demonstrates outstanding technical sophistication by way of its multi-functional backdoor structure.
The malware employs a three-class construction consisting of Stub, App_Web_843e75cf5b63, and App_Web_8c9b251fb5b3, every serving distinct operational functions.
To evade detection, the malware instantly makes an attempt to bypass AMSI (Antimalware Scan Interface) and Home windows Occasion Log by overwriting particular addresses in amsi.dll and ntdll.dll.
The backdoor makes use of the Trade server’s ASP.NET validation key, retrieved from machine configuration and hashed utilizing SHA-256 to create a 32-byte AES encryption key for safe command and management communications.
The malware helps fourteen distinct command operations, together with shellcode execution, file manipulation, .NET bytecode loading, and HTTP POST requests to a number of URLs concurrently.
Every command generates XML-formatted responses containing the hardcoded string /wEPDwUKLTcyODc4, which researchers have linked to the open-source ExchangeCmdPy.py exploitation device.
GhostContainer Leverages Trade Flaw (CVE-2020-0688)
Evaluation reveals that GhostContainer leverages a number of open-source initiatives, notably code similarities with ExchangeCmdPy.py, suggesting exploitation of CVE-2020-0688, a deserialization vulnerability in Trade servers.
The assault employs a complicated digital web page injection mechanism by way of the App_Web_843e75cf5b63 class, which creates ghost pages utilizing VirtualProvider lessons to bypass file system checks.
The malware’s internet proxy element, App_Web_8c9b251fb5b3, relies on the Neo-reGeorg tunneling device and processes requests by way of customized headers: Qprtfva for proxy forwarding and Dzvvlnwkccf for socket communication.
This dual-functionality allows each internet proxy operations and long-lived TCP tunnel institution between inside networks and exterior command infrastructure.
Present telemetry signifies that GhostContainer has efficiently compromised no less than two high-value targets: a key authorities company and a high-tech firm, each positioned in Asia.
The malware’s design particularly targets Trade infrastructure inside authorities environments, suggesting a targeted APT marketing campaign in opposition to crucial nationwide infrastructure.
In contrast to conventional malware campaigns, GhostContainer operates with out establishing direct connections to exterior C2 infrastructure.
GhostContainer C2 Instructions and Performance
Command IDFunctionality0Get the system structure kind (e.g., x86 or x64).1Run acquired information as shellcode.2Execute a command line.3Load .NET byte code in a toddler thread.4Send a GET request.5Download and save a file.6Save supplied uncooked information to a file.7Delete a file.8Read file contents.9Execute a .NET program with output.10Invoke the digital web page injector (App_Web_843e75cf5b63).11Delete recordsdata containing “App_Global” of their names.14Perform HTTP POST requests to a number of URLs concurrently.
As a substitute, attackers hook up with compromised servers from exterior networks, concealing management instructions inside respectable Trade internet requests.
The subtle nature of the assault, mixed with the malware’s skill to perform as each a backdoor and community tunnel, signifies the involvement of a extremely expert {and professional} menace actor with a deep understanding of Trade techniques and internet service operations.
GhostContainer Indicators of Compromise (IoC)
Indicator TypeValueFilenameApp_Web_Container_1.dllMD501d98380dfb9211251c75c87ddb3c79c
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
