Actively exploited server backdoor remains undetected in most organisations' networks

Bright blue code appearing on screen to denote hacking
(Image credit: Bigstock)

Security researchers at Kaspersky have discovered a new server backdoor targeting governments and NGOs across most geographic regions.

Dubbed SessionManager, the backdoor is found in Internet Information Services (IIS), a popular web server software designed and maintained by Microsoft for use with its NT servers.


Optimising storage infrastructure for DevOps practices

Maintaining IT infrastructure to best support application services


Researchers said the discovery of SessionManager, found in early 2022, signals a growing trend involving cyber criminals targeting IIS with malicious modules to gain access to sensitive information.

The investigation began after the team started observing threat actors dropping other backdoors in IIS a few months earlier in December 2021, such as ‘Owowa’, after exploiting vulnerabilities in Microsoft Exchange Server akin to the ProxyLogon exploit.

The original malicious module found in IIS, Owowa, was designed to steal credentials from Outlook Web Access (OWA) when users attempted to sign in.

SessionManager is the latest finding and once installed on a victim’s server, the cyber criminal is able to gain access to sensitive information, such as an organisation’s emails, the researchers said, or manage servers while evading detection to potentially use as malicious infrastructure.

It also has the power to read, write, and delete arbitrary files on a compromised server, enable remote code execution, and establish endpoint connections between arbitrary networks and the compromised server.

When SessionManager’s capabilities are combined, these can “make it a lightweight persistent initial access backdoor,” said Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis team.

One of the hallmark features of the implant is that it is highly stealthy, too, with many samples going undetected by popular online file-scanning services. SessionManager is still present in more than 90% of targeted orgainsations, according to Kaspersky’s internet scans, but has been operational since at least March 2021.

SessionManager infections have been scattered across the globe with observed success in every geographic region except North America and Oceania, according to Kaspersky's data.

Many Asian countries have been found to be targeted with other high-profile nations including the UK, Russia, and Saudi Arabia all believed to have been targeted too.

Kaspersky said the threat actors’ efforts have been concentrated on governments and NGOs, but medical, oil, and transportation companies have also been hit with SessionManager. Kaspersky said 34 servers were impacted in total, across 24 different organisations.

“The exploitation of Exchange Server vulnerabilities has been a favourite of cybercriminals looking to get into targeted infrastructure since Q1 2021,” said Delcher. “It notably enabled a series of long unnoticed cyberespionage campaigns.

“The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild. Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offences. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time.”

Who is behind SessionManager?

Kaspersky has found difficulty in placing confident attribution for SessionManager on any given known advanced persistent threat (APT) group, though it has said the Gelsemium group “might” be the operator.

A combination of similar, but distinctively different, malicious binaries to SessionManager - discovered before SessionManager itself - and used in conjunction with other backdoors downloaded from the same staging server as SessionManager, led researchers to the Gelsemium group.

The researchers note that Gelsemium might be the sole operator, or one of more potential threat actors conducting attacks.

Gelsemium was first observed in 2014 and has, so far, been difficult to track and analyse given the small number of confirmed victims relative to the time it has been active.

Known targets of Gelsemium have included governments, universities, and religious organisations in East Asia and the Middle East, and it was also believed to be behind the supply chain hack on BigNox.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.