A sophisticated backdoor named GhostContainer was discovered targeting Exchange servers in government and high-tech organizations in Asia, likely exploiting the CVE-2020-0688 vulnerability. This malware leverages multiple open-source projects, evades detection, and allows attackers full control over compromised Exchange infrastructure. #GhostContainer #CVE2020-0688
Keypoints
- GhostContainer is a multi-functional backdoor targeting Exchange servers, delivered via a known N-day vulnerability, suspected to be CVE-2020-0688.
- The malware uses a container DLL file named App_Web_Container_1.dll, which contains several classes including a C2 parser, virtual page injector, and a web proxy.
- The Stub class serves as a command dispatcher, performing AMSI and event log bypass, decrypting incoming commands, and impersonating system accounts for command execution.
- Command functionality includes running shellcode, executing commands, downloading files, injecting .NET bytecode, and managing files on the system.
- The backdoor employs open-source code from projects such as machinekeyfinder-aspx, ExchangeCmdPy, PageLoad_ghostfile.aspx, and a customized version of Neo-reGeorg for proxy and tunneling capabilities.
- GhostContainer establishes no outbound connections but waits for attackers to send commands hidden in normal Exchange web requests, acting as a covert communication channel.
- Victims identified include a government agency and a high-tech company in Asia, and attribution is difficult due to the use of publicly available code and lack of identifiable infrastructure.
MITRE Techniques
- [T1110] Brute Force – The malware exploits a known N-day vulnerability (likely CVE-2020-0688) to gain initial access to Exchange servers. (‘Exchange server was likely compromised via a known N-day vulnerability’)
- [T1053] Scheduled Task/Job – The malware loads .NET bytecode and shellcode dynamically to extend its functionality (‘…loading additional .NET byte code…’)
- [T1027] Obfuscated Files or Information – Uses AES encryption and Base64 encoding to hide commands and data in requests (‘…decode it as Base64… Utilize the AES key… perform AES decryption…’)
- [T1204] User Execution – The malware impersonates system and user tokens to execute commands (‘Stub checks if the current user is a system account…attempts to impersonate a user by utilizing a token…’)
- [T1176] Browser Extensions – Uses virtual ASPX pages (ghost pages) as loaders to evade detection and execute malicious .NET reflection loaders (‘…create ghost pages using classes like VirtualProvider…used to locate web proxy class…’)
- [T1573] Encrypted Channel – Communication commands are hidden and encrypted within normal web requests to the Exchange server (‘…control commands are hidden within normal Exchange web requests…’)
- [T1098] Account Manipulation – The malware impersonates users by reusing stored tokens to escalate privileges and perform actions (‘…attempts to impersonate a user by utilizing a token stored in application domain’s data storage’)
Indicators of Compromise
- [File Hashes] GhostContainer sample – MD5: 01d98380dfb9211251c75c87ddb3c79c, SHA1: 2bb0a91c93034f671696da64a2cf6191a60a79c5, SHA256: 87a3aefb5cdf714882eb02051916371fbf04af2eb7a5ddeae4b6b441b2168e36
- [File Name] Malicious container DLL – App_Web_Container_1.dll used as loader and backdoor component