Cybercriminals are using a newly discovered malware to backdoor Microsoft Exchange servers. These servers belong to government/military firms from Europe, Asia, Africa, and the Middle East.
Researchers from Kaspersky have named the backdoor SessionManage, which was first spotted the threat in early 2022. It is a native-code module for Microsoft's Internet Information Services (IIS) web server software.
The SessionManager backdoor allows cybercriminals to keep a persistent, update-resistant, and stealthy access to the IT infrastructure of the targeted organization.
Once dropped inside the victim's system, the cybercriminals use the backdoor to gain access to company emails and update malicious access by installing other types of malware.
Further, the backdoor uses an IIS module that delivers additional payloads such as the Avast memory dump tool, Mimikatz SSP, ProcDump, and PowerSploit-based Mimikatz reflective loader.
Additionally, they can manage compromised servers, abusing them as malicious infrastructure. It has been used in the wild without being spotted since March 2021, just after the ProxyLogon attacks.
Based on similar victimology and the use of the OwlProxy, the SessionManager IIS backdoor is believed to be employed in recent attacks by the Gelsemium group as part of a global espionage operation.
The backdoor drops and manages arbitrary files on compromised servers and remote command execution on backdoored devices.
Further, it can be used to connect to endpoints inside the victim’s local network and manipulate the network traffic.
The IIS module harvests credentials from system memory and collects details from the victims' networks and devices.
Cybercriminals are prominently targeting the Microsoft Exchange servers with unpatched vulnerabilities. Thus, organizations are suggested to update their Exchange servers with the latest updates. Further, it is recommended to leverage threat intelligence for better protection against such threats.