New ‘SessionManager’ Backdoor Targeting Microsoft Exchange Servers Worldwide

Security

Kaspersky security experts have discovered new malware targeting Microsoft Exchange servers belonging to several organizations worldwide.

Dubbed “SessionManager” and first spotted by the company in early 2022, the backdoor enables threat actors to keep “persistent, update-resistant and rather stealth access to the IT infrastructure of a targeted organization.”

According to Kaspersky, once propagated, SessionManager would enable a wide range of malicious activities, from collecting emails to complete control over the victim’s infrastructure. 

The analyses by the security researchers suggested that the threat actors (TA) behind SessionManager first started operating in late March 2021.

Kaspersky said the malware would have hit 34 servers of 24 organizations across Africa, South Asia, Europe and the Middle East, with most of them still compromised to date. 

“The threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organizations, oil companies and transportation companies, among others, have been targeted as well.”

Kaspersky also warned that a distinctive feature of SessionManager is its poor detection rate by antivirus software. 

“First discovered by Kaspersky researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services,” the company wrote in an advisory on Thursday.

“To date, SessionManager is still deployed in more than 90% of targeted organizations according to an Internet scan carried out by Kaspersky researchers.”

In terms of attribution, the security experts said they found similarities between SessionManager and ‘Owowa,’ a previously unknown internet information services (IIS) module that stole credentials entered by a user when logging into Outlook Web Access (OWA).

“It has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the ‘ProxyLogon-type’ vulnerabilities within Microsoft Exchange servers,” Kaspersky wrote.

Because of these similarities and the use of the common “OwlProxy” variant, Kaspersky concluded their advisory by claiming the malicious IIS module might have been leveraged by the Gelsemium threat actor.

Products You May Like

Articles You May Like

Three-Quarters of Black Friday Spam Emails Identified as Scams
Google’s New Restore Credentials Tool Simplifies App Login After Android Migration
Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia
BianLian Ransomware Group Adopts New Tactics, Posing Significant Risk
Microsoft Seizes 240 Websites to Disrupt Global Distribution of Phish Kits

Leave a Reply

Your email address will not be published. Required fields are marked *