Kaspersky Discloses New ‘SessionManager’ Backdoor Targetting Microsoft Exchange Servers
Security vendor Kaspersky has warned about a new malware that allows attackers to backdoor Microsoft Exchange servers. Dubbed SessionManager, the malicious tool has been used for the past 15 months to target NGOs, government agencies, military as well as industrial organizations across Europe, South America, Asia, and Africa.
As reported by the Kaspersky researchers, the SessionManager malware was first spotted in March 2021. The malicious software acts as a legitimate module for Microsoft’s Internet Information Services (IIS) web server. For those unfamiliar, IIS comes pre-installed on Microsoft Exchange servers.
Kaspersky found that the threat actors exploit the ProxyLogon flaw in Microsoft Exchange servers to infect vulnerable systems with SessionManager. Once deployed, the malicious IIS module lets SessionManager operators steal credentials and collect sensitive data and emails stored in the memory. It can also be used to deliver more payloads, including ProcDump, PowerSploit-based reflective loader, and Mimikat SSP.
“Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher explained in the security advisory.
Gelsemium hacker group linked to Exchange servers attacks
Kaspersky believes that the malware is operated by a hacker group called Gelsemium. The researchers noticed certain similarities between SessionManager and OwlProxy, a backdoor variant that the threat actor previously used as a part of its attacks. Furthermore, Kaspersky has observed several malware samples showing a consistent evolution during the past 15 months.
It is important to note that disinfecting Microsoft Exchange servers affected by malicious IIS modules (such as SessionManager) could be challenging for businesses. Kaspersky has provided some instructions to help security teams prevent and mitigate malware infections. You can find more details and recommended actions in Kaspersky’s security advisory.
More in Exchange Server
Microsoft Exchange Servers Hit By Stealthy IIS Backdoors
Jul 27, 2022 | Rabia Noureen
Kaspersky Discloses New 'SessionManager' Backdoor Targetting Microsoft Exchange Servers
Jul 1, 2022 | Rabia Noureen
M365 Changelog: (Updated) Safe Links Global Settings Migrated to Custom Policies
Jun 28, 2022 | Petri Staff
Microsoft Postpones the Release of Next Version of Exchange Server Until 2025
Jun 3, 2022 | Rabia Noureen
M365 Changelog: Get-AdvancedThreatProtectionDocumentReport and Get-AdvancedThreatProtectionDocumentDetail to be retired
May 24, 2022 | Petri Staff
M365 Changelog: (Updated) Microsoft Defender for Office 365: Updates to URL Protection Report
May 24, 2022 | Petri Staff
Most popular on petri