Newly discovered malware has been used in the wild since at least March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of organizations worldwide, with infections continuing in 20 organizations as of June 2022.
Called SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws in Exchange servers.
The targets include 24 different NGOs, government, military and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant so far.
This is far from the first time the technique has been seen in real-world attacks. The use of a fake IIS module as a means of distributing hidden implants is echoed in an Outlook credential stealer called Owowa that came to light in December 2021.
“Removing an IIS module as a backdoor allows threat actors to maintain persistent, update-resistant and relatively stealthy access to a target organization’s IT infrastructure; be it to harvest emails, update additional malicious access, or covertly manage compromised servers that can be used as malicious infrastructure,” said Kaspersky researcher Pierre Delscher.
The Russian cybersecurity firm attributed the medium-to-high security intrusions to an adversary tracked as Gelsemium, citing an overlap in malware samples associated with the two groups and the victims they targeted.
ProxyLogon, since its disclosure in March 2021, has repeatedly attracted the attention of several threats, and the latest chain of attacks is no exception, with the Gelsemium team exploiting the flaws to remove SessionManager, a backdoor coded in C++ and designed to handle HTTP requests , sent to the server.
“Such malicious modules typically expect seemingly legitimate but specially crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions, if any, then transparently pass the request to the server to be processed just like any other request” , Delcher explained.
Said to be a “lightweight persistent backdoor for initial access”, SessionManager comes with capabilities to read, write and delete arbitrary files; executes binaries from the server; and establishing communications with other endpoints on the network.
In addition, the malware acts as a covert channel to conduct reconnaissance, collect passwords in memory, and provide additional tools such as Mimikatz, as well as Avast’s memory dump utility.
The findings come after the US Cybersecurity and Infrastructure Security Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the legacy Basic Authentication method to alternatives to Modern Authentication before its retirement on October 1, 2022 Mr.
Add Comment