Kaspersky Discloses New ‘SessionManager’ Backdoor Targetting Microsoft Exchange Servers


Security vendor Kaspersky has warned about a new malware that allows attackers to backdoor Microsoft Exchange servers. Dubbed SessionManager, the malicious tool has been used for the past 15 months to target NGOs, government agencies, military as well as industrial organizations across Europe, South America, Asia, and Africa.

As reported by the Kaspersky researchers, the SessionManager malware was first spotted in March 2021. The malicious software acts as a legitimate module for Microsoft’s Internet Information Services (IIS) web server. For those unfamiliar, IIS comes pre-installed on Microsoft Exchange servers.

Kaspersky found that the threat actors exploit the ProxyLogon flaw in Microsoft Exchange servers to infect vulnerable systems with SessionManager. Once deployed, the malicious IIS module lets SessionManager operators steal credentials and collect sensitive data and emails stored in the memory. It can also be used to deliver more payloads, including ProcDump, PowerSploit-based reflective loader, and Mimikat SSP.

“Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher explained in the security advisory.

Kaspersky Discloses New 'SessionManager' Backdoor Targetting Microsoft Exchange Servers
Source: Kaspersky

Gelsemium hacker group linked to Exchange servers attacks

Kaspersky believes that the malware is operated by a hacker group called Gelsemium. The researchers noticed certain similarities between SessionManager and OwlProxy, a backdoor variant that the threat actor previously used as a part of its attacks. Furthermore, Kaspersky has observed several malware samples showing a consistent evolution during the past 15 months.

It is important to note that disinfecting Microsoft Exchange servers affected by malicious IIS modules (such as SessionManager) could be challenging for businesses. Kaspersky has provided some instructions to help security teams prevent and mitigate malware infections. You can find more details and recommended actions in Kaspersky’s security advisory.