Newly discovered malware has been used in the wild since at least March 2021 to use Microsoft Exchange servers belonging to a wide range of entities around the world, with persistent infections in 20 organizations until June 2022.
Called SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon errors on the Exchange servers.
The targets included 24 different NGOs, governmental, military and industrial organizations from Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a variant of SessionManager so far.
This is far from the first time the technique has been observed in real-world attacks. The use of a rogue IIS module as a means to distribute stealthy implants has its echoes in an Outlook credential theft called Owowa that came to light in December 2021.
“Removing an IIS module as a backdoor allows threat actors to maintain persistent, upgrade-resistant, and relatively stealthy access to an target organization’s IT infrastructure; either to collect emails, update more malicious accesses or clandestinely managing compromised servers that can be exploited as malicious infrastructure, ”said Kaspersky researcher Pierre Delcher.
The Russian cybersecurity company attributed the intrusions with medium to high confidence to a tracked opponent like Gelsemium, citing overlaps in malware samples linked to both target groups and victims.
ProxyLogon, since its release in March 2021, has drawn the repeated attention of several threat actors, and the latest chain of attack is no exception, with the Gelsemium crew taking advantage of the flaws to release SessionManager , a back door encoded in C ++ and designed to process HTTP. requests sent to the server.
“These malicious modules typically wait for seemingly legitimate but specifically designed HTTP requests from their operators, trigger actions based on hidden operator instructions, if any, and pass the request transparently to the server for processing as any other request, “Delcher. explained.
It is said to be a “lightweight persistent initial access backdoor,” SessionManager includes capabilities to read, write, and delete arbitrary files; run binaries from the server; and establish communications with other endpoints in the network.
Malicious software also acts as a covert channel to perform scans, collect passwords in memory, and offer additional tools such as Mimikatz, as well as an Avast memory dump utility.
The findings come when the U.S. Cybersecurity and Infrastructure Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the inherited basic authentication method to alternatives. modern authentication before its obsolescence on October 1, 2022.