Experts at Russian cybersecurity firm Kaspersky have brought to light a poorly detected backdoor program known as “SessionManager” that was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft.
Once propagated, SessionManager enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure.
First leveraged in late March 2021, Kaspersky says that the newly discovered backdoor has hit governmental institutions and NGOs across the globe with victims in eight countries from the Middle East, Turkey, and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya, and Turkey.
The SessionManager backdoor enables threat actors to keep persistent, update-resistant, and rather stealth access to the IT infrastructure of a targeted organisation.
Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure.
A distinctive feature of SessionManager is its poor detection rate. First discovered by Kaspersky researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services.
To date, SessionManager is still deployed in more than 90% of targeted organisations according to an Internet scan carried out by Kaspersky researchers.
In December 2021, Kaspersky uncovered “Owowa”, a previously unknown IIS module that steals credentials entered by a user when logging into Outlook Web Access (OWA).
Since then, the company’s experts have kept an eye on the new opportunity for cybercriminal activity – it has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the “ProxyLogon-type” vulnerabilities within Microsoft Exchange servers.
Overall, 34 servers of 24 organisations from Europe, the Middle East, South Asia, and Africa were compromised by SessionManager. The threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organisations, oil companies, and transportation companies, among others, have been targeted as well.
Because of similar victimology and the use of the common “OwlProxy” variant, Kaspersky experts believe that the malicious IIS module might have been leveraged by the GELSEMIUM threat actor, as part of its espionage operations.
“The exploitation of exchange server vulnerabilities has been a favourite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns,” comments Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.
“The recently discovered SessionManager was poorly detected for a year. Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offenses. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time,” Delcher concludes.