Kaspersky researchers spotted a new backdoor that has been used to target Microsoft IIS servers since at least March 2021. This comes after the discovery of the Owowa in December 2021.
Diving into details
- SessionManager has been used to target a variety of government, NGOs, industrial, and military organizations across Asia, the Middle East, Africa, South America, and Europe.
- The backdoor allows its operators to maintain persistent, update-resistant, and stealth access to the IT infrastructure of the victim organization.
- In addition to this, SessionManager has a poor detection rate. As per a scan by Kaspersky, more than 90% of targeted firms still have the backdoor deployed.
- The researchers found similar victimology and the use of the OwlProxy variant, indicating that the threat actor behind this could be Gelsemium.
About SessionManager
- Developed in C++, the backdoor is a malicious native-code IIS module loaded by certain IIS applications to process legitimate HTTP requests.
- While these modules look legitimate, they trigger actions based on the instructions by the operators.
- It can read, write, and delete arbitrary files on the infected server, perform RCE, and establish connections to arbitrary network endpoints.
The bottom line
Cybercriminals have, lately, been abusing Exchange email server flaws to gain entry to corporate networks. With the backdoor deployed on several servers, it is possible that malicious activities will be detected for a long time. Kaspersky has offered mitigations to stay safe from this very potent threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/37ce_shutterstock_639700315.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dbe4_shutterstock_1419761330.jpg)
