GhostContainer: Kaspersky Uncovers Elite APT Backdoor Infiltrating Asian Government Exchange Servers
A team of analysts at Kaspersky Lab has uncovered an exceptionally sophisticated piece of malware embedded within the Exchange infrastructure of governmental institutions. Based on forensic logs and the nature of the executable code, the infection appears to have been delivered through a known N-day vulnerability—most likely CVE-2020-0688. The incident is believed to be the work of a highly skilled APT group known for targeting critical entities in the Asia-Pacific region.
At the core of this operation lies a .NET-compiled file named App_Web_Container_1.dll, a 32.8 KB Mono/.NET assembly built for the Intel 80386 (x86) architecture. It carries the following checksums: MD5 — 01d98380dfb9211251c75c87ddb3c79c, SHA1 — 2bb0a91c93034f671696da64a2cf6191a60a79c5, and SHA256 — 87a3aefb5cdf714882eb02051916371fbf04af2eb7a5ddeae4b6b441b2168e36. The PE compilation timestamp is falsified, displaying 01.01.1970.
This file contains three principal classes: Stub, App_Web_843e75cf5b63, and App_Web_8c9b251fb5b3, supported by a utility class named StrUtils. The entry point is the Stub class, which functions as a C2 command parser. It processes remote attacker commands such as shellcode execution, system command invocation, file and .NET bytecode loading, web page injection, and operating as both a proxy and tunneling agent.
The first action executed by Stub is the disabling of AMSI and Windows event logging by in-memory tampering with amsi.dll and ntdll.dll. It then retrieves the ASP.NET validation key, derives an AES encryption key via SHA-256, and uses it to encrypt and decrypt data exchanged through the x-owa-urlpostdata HTTP header—commands are AES-encrypted and Base64-encoded. Once decrypted, each command is parsed by ID and executed. If required, the module can impersonate a system user by leveraging application context tokens.
The supported commands, interpreted by the Stub module, include:
| Command ID | Description |
| 0 | Get the architecture type (e.g., x86 or x64) | |
| 1 | Run received data as a shell code |
| 2 | Execute a command line |
| 3 | Load .NET byte code in a child thread |
| 4 | Send a GET request |
| 5 | Download and save a file |
| 6 | Save provided raw data to a file |
| 7 | Delete a file |
| 8 | Read file contents |
| 9 | Execute a .NET program with output |
| 10 | Invoke a virtual page injector (create an instance of class App_Web_843e75cf5b63) |
| 11 | Iterate and delete files whose names contain App_Global in the defined folder and its subdirectories |
| 14 | Perform HTTP POST requests to multiple URLs concurrently |
Each command’s response is returned in XML format, with the value element consistently beginning with /wEPDwUKLTcyODc4, indicating a resemblance to the ExchangeCmdPy.py project used for exploiting CVE-2020-0688.
The second class, App_Web_843e75cf5b63, is responsible for generating virtual ASPX pages. Derived from the open-source project PageLoad_ghostfile.aspx, it uses VirtualProvider-like classes to dynamically render pages. It requires two parameters: a dummy page name and a path. The content is Base64-encoded ASPX code, which when executed, launches the next key component: App_Web_8c9b251fb5b3.
This third module functions as a hybrid web proxy and tunnel. It leverages the custom headers Qprtfva and Dzvvlnwkccf to route requests. The former initiates proxy sessions—decoding URLs from Base64, cloning requests, and forwarding them to target addresses, returning responses to the user. The latter establishes and controls TCP tunnels between internal and external nodes. Connections are identified via unique socket names (first 22 bytes), with control commands beginning from byte 23 to manage connection lifecycle and data flow.
Tunnel control commands include:
1iGBIM1C5…: Decode IP and port, establish connection, store socketvfhafFQZ4…: Close and remove socketM4LubGO0x…: Forward data from HTTP request to internal networkNYIJVBf2PX…: Retrieve data from internal network and respond via HTTP
The utility class StrUtils handles basic operations: string parsing, path sanitization, and XML value extraction—although XML methods are not explicitly invoked elsewhere.
What sets GhostContainer apart is its stealth: it establishes no outbound connections and relies solely on standard Exchange requests for communication, blending seamlessly into legitimate traffic and evading traditional detection mechanisms.
To date, at least two confirmed intrusions have been documented: one targeting a major government entity and another involving a high-tech corporation—both located in Asia. While certain portions of the codebase borrow from public projects like Neo-reGeorg, ExchangeCmdPy, and others, the overarching design and implementation of GhostContainer are uniquely sophisticated, reflecting a high degree of technical mastery.
This campaign reveals an intimate understanding of the inner workings of Exchange and IIS, combined with the adept adaptation of modular components tailored to precise objectives. Investigators believe the operation is orchestrated by a mature, highly capable adversary. Their analysis is ongoing.
