A newly discovered malware has been used in the wild to backdoor Microsoft Exchange servers of a wide variety of entities worldwide since at least March 2021, with infections persisting in 20 organizations as of June 2022.
The malicious tool, called SessionManager, pretends to be a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon errors in Exchange servers.
The targets included 24 different NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant so far.
This is far from the first time the technique has been observed in real-world attacks. The use of a fraudulent IIS module as a means to surreptitiously distribute implants has resonated with an Outlook credentials stealer called Owowa, which came to light in December 2021.
“By dropping an IIS module as a backdoor, threat actors can maintain persistent, update-resistant, and relatively unobtrusive access to a targeted organization’s IT infrastructure; whether collecting emails, updating further malicious access or clandestinely managing compromised servers that can be used as malicious infrastructure,” Kaspersky researcher Pierre Delcher said†
The Russian cybersecurity firm attributed the medium-to-high confidence intrusions to an adversary tracked as Gelsemium, citing overlaps in the malware samples associated with the two groups and victims being targeted.
ProxyLogon has attracted the repeated attention of several threat actors since its unveiling in March 2021, and its latest attack chain is no exception, with the Gelsemium crew exploiting the bugs to drop SessionManager, a backdoor coded in C++ and designed to handle HTTP . requests sent to the server.
“Such malicious modules usually expect legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions, if any, and then transparently pass the request on to the server to process it just like any other request says Delcher. explained.
Reportedly a “lightweight persistent initial access backdoor”, SessionManager comes with capabilities to read, write, and delete arbitrary files; run binaries from the server; and establish communication with other endpoints in the network.
The malware further acts as a hidden conduit to conduct reconnaissance, collect passwords in memory, and provide additional tools such as Mimikatz, as well as a memory dump utility from Avast.
The findings come as the US Cybersecurity and Infrastructure Security Agency (CISA) insisted government and private sector entities using the Exchange platform to move from the old basic authentication method to modern authentication alternatives prior to the depreciation on October 1, 2022.