Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers.
Victims of the backdoor
SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems.
The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.
Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.
Features supported by SessionManager:
- On the hacked server, reading, writing to, and deleting arbitrary files is possible.
- Remote command execution also runs on arbitrary programs from the compromised server.
- Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.
Elements of command and control code
Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.
Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.
Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.
