New 'SessionManager' Backdoor Aimed at Microsoft IIS Servers Out in the Wild

New 'SessionManager' Backdoor Aimed at Microsoft IIS Servers Out in the Wild

Many organizations around the world have been infected with a newly discovered malware since March 2021, when it was first discovered and has been exploited to gain access to Microsoft Exchange servers belonging to a wide range of organizations.

After exploiting one of the ProxyLogon vulnerabilities that are present in Exchange servers, the malicious tool, which has been given the name SessionManager, masquerades as a module for Internet Information Services (IIS), which is web server software for Windows-based systems.

There were a total of twenty-four different non-governmental organizations (NGOs), as well as government, military, and industrial organizations that were targeted. These organizations were located in Africa, South America, Asia, Europe, Russia, and the Middle East. To this day, a SessionManager variant has successfully breached the security of a total of 34 servers.

This is not even close to the first time that the technique has been seen used in attacks in the real world. The use of a malicious IIS module as a method to covertly distribute implants has echoes in an Outlook credential stealer known as Owowa, which was discovered in December of 2021.

"Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant, and relatively stealthy access to the IT infrastructure of a targeted organization," said Pierre Delcher, a researcher at Kaspersky. "This could be for the purpose of collecting emails, updating further malicious access, or clandestinely managing compromised servers that can be leveraged as malicious infrastructure."

The Russian cybersecurity company was able to attribute the intrusions with a level of confidence ranging from medium to high to an adversary known as Gelsemium. As evidence, they pointed to overlaps in the malware samples linked to the two groups and victims targeted.

Since it was disclosed in March 2021, ProxyLogon has drawn the attention of multiple threat actors on multiple occasions. The most recent attack chain is no exception, with the Gelsemium crew exploiting the flaws to drop SessionManager, a backdoor written in C++ that is designed to process HTTP requests that are sent to the server.

"Such malicious modules typically anticipate seemingly legitimate but specifically crafted HTTP requests from their operators," explained Delcher. "They then trigger actions based on the operators' hidden instructions, if any, and then transparently pass the request to the server so that it can be processed just like any other request."

SessionManager is included with the capabilities to read, write, and delete arbitrary files; execute binaries from the server; and establish communications with other endpoints in the network. It is described as a "lightweight persistent initial access backdoor."

The malware also functions as a covert channel to conduct reconnaissance, collect passwords stored in memory, and deliver additional tools such as Mimikatz and an Avast memory dump utility. It does all of these things by gathering passwords stored in memory.

The findings come at a time when the United States Cybersecurity and Infrastructure Security Agency (CISA) has been urging government agencies and private sector entities that use the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives in advance of the method's deprecation on October 1, 2022.


Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post