According to experts from Kaspersky's Global Research and Analysis Team (GReAT), this type of malware is built on open source tools. This is a sophisticated, undetectable type of malware.
The GReAT team discovered this malware in the incident response process at government systems using Microsoft Exchange (the email service commonly used for businesses and educational institutions).
GhostContainer is said to be part of an sophisticated and prolonged cyberattack (APT) campaign, targeting key organizations in the Asia region, including major technology companies.
This is a multi-functional malware that can be custom-generated by remotely downloading other modules. This malware takes advantage of many open source projects and is sophisticatedly customized to avoid detection.
Once GhostContainer is successfully installed into the system, hackers can easily completely control the Exchange server, thereby being able to commit a series of dangerous acts that users do not know about.
This malware is sophisticatedly disguised under the cover of a valid component of the server and uses many evasive monitoring techniques to avoid detection by virus programs and bypass the security monitoring system.
In addition, this malware can act as an intermediary server or a tunnel, creating loopholes for attackers to break into internal systems or steal important information.
Our in-depth analysis shows that the culprit behind the attack is very proficient in penetrating the Microsoft Exchange server system, said Sergey Lozhkin, head of GReAT Asia - Pacific and Middle East - Africa at Kaspersky. We will continue to monitor the group's activities as well as the range and level of danger of the attacks, to better understand the overall picture of the threat.
To avoid becoming victims of targeted attacks from well-known or undetected cybercriminal groups, cybersecurity experts Kaspersky recommend that businesses apply the following measures:
- Equip security operations teams (SOCs) with access to information sources about the latest threat.
- Improve the skills of the cybersecurity team, helping them prepare to deal with new threats with online training programs, designed by leading experts.
- Applying incident detection and handling solutions right from the terminal device, such as EDR to help detect, investigate and respond promptly to signs of attack.
- Combining additional security solutions at the enterprise network level, helping to detect complicated attacks that are quietly taking place in the system early.
- Since many targeted attacks often start with fraudulent emails or forms of psychological deception, it is necessary to organize training courses to raise employees' security awareness.
