Kaspersky security experts have discovered new malware targeting Microsoft Exchange servers belonging to several organizations worldwide.
Dubbed “SessionManager” and first spotted by the company in early 2022, the backdoor enables threat actors to keep “persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.”
According to Kaspersky, once propagated, SessionManager would enable a wide range of malicious activities, from collecting emails to complete control over the victim’s infrastructure.
The analyses by the security researchers suggested that the threat actors (TA) behind SessionManager first started operating in late March 2021.
Kaspersky said the malware would have hit 34 servers of 24 organizations across Africa, South Asia, Europe and the Middle East, with most of them still compromised to date.
“The threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organizations, oil companies and transportation companies, among others, have been targeted as well.”
Kaspersky also warned that a distinctive feature of SessionManager is its poor detection rate by antivirus software.
“First discovered by Kaspersky researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services,” the company wrote in an advisory on Thursday.
“To date, SessionManager is still deployed in more than 90% of targeted organizations according to an Internet scan carried out by Kaspersky researchers.”
In terms of attribution, the security experts said they found similarities between SessionManager and ‘Owowa,’ a previously unknown internet information services (IIS) module that stole credentials entered by a user when logging into Outlook Web Access (OWA).
“It has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the ‘ProxyLogon-type’ vulnerabilities within Microsoft Exchange servers,” Kaspersky wrote.
Because of these similarities and the use of the common “OwlProxy” variant, Kaspersky concluded their advisory by claiming the malicious IIS module might have been leveraged by the Gelsemium threat actor.