Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Kaspersky Discloses New ‘SessionManager’ Backdoor Targetting Microsoft Exchange Servers

Security vendor Kaspersky has warned about a new malware that allows attackers to backdoor Microsoft Exchange servers. Dubbed SessionManager, the malicious tool has been used for the past 15 months to target NGOs, government agencies, military as well as industrial organizations across Europe, South America, Asia, and Africa.

As reported by the Kaspersky researchers, the SessionManager malware was first spotted in March 2021. The malicious software acts as a legitimate module for Microsoft’s Internet Information Services (IIS) web server. For those unfamiliar, IIS comes pre-installed on Microsoft Exchange servers.

Kaspersky found that the threat actors exploit the ProxyLogon flaw in Microsoft Exchange servers to infect vulnerable systems with SessionManager. Once deployed, the malicious IIS module lets SessionManager operators steal credentials and collect sensitive data and emails stored in the memory. It can also be used to deliver more payloads, including ProcDump, PowerSploit-based reflective loader, and Mimikat SSP.

“Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher explained in the security advisory.

Kaspersky Discloses New 'SessionManager' Backdoor Targetting Microsoft Exchange Servers — Source: Kaspersky

Gelsemium hacker group linked to Exchange servers attacks

Kaspersky believes that the malware is operated by a hacker group called Gelsemium. The researchers noticed certain similarities between SessionManager and OwlProxy, a backdoor variant that the threat actor previously used as a part of its attacks. Furthermore, Kaspersky has observed several malware samples showing a consistent evolution during the past 15 months.

It is important to note that disinfecting Microsoft Exchange servers affected by malicious IIS modules (such as SessionManager) could be challenging for businesses. Kaspersky has provided some instructions to help security teams prevent and mitigate malware infections. You can find more details and recommended actions in Kaspersky’s security advisory.