According to a blog post by Ars Technica, researchers have identified a new piece of malware dubbed SessionManager that hackers have been using to back door Microsoft Exchange servers for the past 15 months.
Internet Information Services (IIS) is installed as the web server by default on Exchange servers, which organizations use to “deploy IIS modules to streamline specific processes on their web infrastructure”. The malware in return then exploited this and then presented itself as as legitimate module.
Based on information gathered by researchers from Kaspersky, “34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021”. Earlier in June, Kaspersky had indicated that 20 of the organizations still remained affected by the malware.
SessionManager provide “an ideal means to deploy powerful, persistent, and stealthy backdoors”. This means that they get to respond to specifically crafted HTTP requests sent by the operator, which in return helps the hackers gain crucial information from emails and expedites their access. It is quite difficult for one to tell the regular HTTP requests from these malicious ones.
According to the blog post, “Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher wrote. “As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.”
The malware then takes control over your device where the user can now get access to the passwords stored in your memory and even get to install additional tools such as PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool.
Kaspersky has further indicated that they speculate a group of hackers identified as Gelsemium could be behind SessionManager. They have also highlighted that it is a complicated process to workaround this issue.