New Backdoor Targets Microsoft Exchange Servers

Attackers broke into Microsoft Exchange servers run by military and governmental institutions in Europe, the Middle East, Asia, and Africa using recently discovered malware. The virus is a malicious native-code module for Microsoft’s Internet Information Services (IIS) web server software, and it was originally identified by security experts at Kaspersky in early 2022. It was given the name SessionManager.

Since the beginning of the large wave of ProxyLogon assaults last year, in March 2021, it has been utilized in the wild without being discovered. On Thursday, Kaspersky said that the SessionManager backdoor gives threat actors “permanent, update-resistant, and very stealth access to the IT infrastructure of a targeted firm.” “Once dumped into the victim’s system, hackers behind the backdoor can access business emails, upgrade existing malicious access by adding new software, or covertly control compromised servers, which can be used as malicious infrastructure.”

Read More:

Dumping and controlling arbitrary files on infected servers, remote command execution on backdoored gadgets connecting to endpoints inside the victim’s local network, and network traffic manipulation Kaspersky discovered that the majority of the malware samples discovered earlier were still being used on 34 servers belonging to 24 firms in late April 2022 while still looking into the attacks (still running as late as June 2022).

Furthermore, “a popular online file scanning service” did not mark them as dangerous even months after the first discovery. The malicious IIS module, once it has been installed, enables its operators to harvest passwords from system memory, gather data from the victims’ networks and infected devices, and distribute additional payloads (such as a PowerSploit-based Mimikatz reflective loader, Mimikatz SSP, ProcDump, and a legitimate Avast memory dump tool).

“Since Q1 2021, attackers attempting to access a targeted infrastructure have preferred to exploit exchange server vulnerabilities. Despite being poorly identified for a year and still being used in the wild, the freshly found SessionManager “added Senior Security Researcher Pierre Delcher from Kaspersky’s GReAT. Exchange servers should be carefully reviewed and monitored for hidden implants, if they haven’t already, because the vulnerabilities of the previous year have made them the ideal targets, regardless of the malicious intent. While looking for IIS backdoors comparable to Owowa, a malicious IIS module used by attackers on Microsoft Exchange Outlook Web Access servers since late 2020 to steal Exchange passwords, Kaspersky discovered the SessionManager virus.

Gelsemium APT Group Links

Security specialists from Kaspersky think the SessionManager IIS backdoor was used in these assaults by the Gelsemium threat actor as part of a global espionage operation based on identical victimologies and the usage of an HTTP server-type backdoor variant named OwlProxy.

This hacking gang has been operating at least since 2014 when G DATA’s SecurityLabs discovered some of its malicious tools while looking into the “Operation TooHash” cyber-espionage campaign. Verint Systems presented new Gelsemium signs of compromise in 2016 at the HITCON conference. Two years later, in 2018, VenusTech released malware samples connected to Operation TooHash and an unidentified APT organization. These samples were ultimately identified as early Gelsemium malware versions by Slovak internet security company ESET.

Additionally, ESET disclosed in 2017 that its researchers had connected Gelsemium to Operation NightScout, a supply-chain attack that aimed to infect gamers’ computers between September 2020 and January 2021 using the NoxPlayer Android emulator for Windows and macOS, which has over 150 million users. Other than that, the Gelsemium APT group is best known for primarily slipping under detection while targeting governments, electronics producers, and institutions in East Asia and the Middle East.

For more information like this do visit

Leave a Comment