Researchers have discovered stealthy malware that threat actors have been employing for the past 15 months to backdoor Microsoft Exchange servers after they have been compromised.
The malicious software, called SessionManager, impersonates a genuine Internet Information Services (IIS) module, which is the web server that is by default installed on Exchange servers.
IIS modules are frequently implemented by businesses to automate particular web infrastructure activities. SessionManager infections have been found on 34 servers belonging to 24 different firms since March 2021, according to Kaspersky security researchers.
As of earlier last month, 20 firms were still affected, according to the cybersecurity company.
Malicious IIS modules provide the perfect platform for the deployment of robust, enduring, and covert backdoors. Once they are set up, they will reply to specially crafted HTTP requests that the operator sends to the server ordering it to gather emails, grant more malicious access, or use the hacked services for nefarious reasons.
It should be noted that the HTTP queries appear normal to the untrained eye, despite the fact that they provide the operator total control over the device.
Kaspersky researcher Pierre Delcher wrote that such malicious modules typically anticipate seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions, if any, and then transparently pass the request to the server for processing in the same manner as any other request.
“As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files,” he added.
After installing SessionManager, operators use it to further profile the infected environment, collect credentials saved in memory, and install additional tools such as a PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool.
At least one SessionManager variation from March 2021 was acquired by Kaspersky.
However, as reported after threat actors have taken advantage of the ProxyLogon vulnerabilities in Microsoft Exchange servers, SessionManager is deployed. NGOs, governments, armies, and commercial groups in Africa, South America, Asia, and Europe have been determined to be infected, according to the findings.
It was also stated that there is a medium-to-high probability that SessionManager has been used by a previously discovered threat actor known as Gelsemium. In 2021, the security company ESET released a comprehensive analysis of the group (PDF).
It should be noted that based on the similarities in the code used by the two groups and the victims targeted, Kaspersky attributes the attack.
In Kaspersky’s publication, the company lists indicators that businesses can use to identify whether they have been infected and what actions they should take in that case.
Read all the Latest News, Breaking News, watch Top Videos and Live TV here.
For all the latest Technology News Click Here
