Monday, May 12, 2025
HomeCyber Security NewsNew Malware Dubbed SessionManager Targeting Microsoft IIS Servers in the Wild

New Malware Dubbed SessionManager Targeting Microsoft IIS Servers in the Wild

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Kaspersky seek out more IIS backdoors after the discovery of ‘Owowa’, a malicious IIS module deployed by attackers on Microsoft Exchange Outlook Web Access servers, stealing credentials and enabling remote command execution from OWA.

Also in 2021, Kaspersky noticed ‘ProxyLogon-type’ vulnerabilities within Microsoft Exchange servers, enabling threat actors to maintain persistent, update-resistant, and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure.

Recently in 2022, the company discovered ‘SessionManager’. According to the report, SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia, and the Middle East, from at least March 2021.

- Advertisement - Google News

“Because of the similar victims, and use of a common OwlProxy variant, we believe the malicious IIS module may have been leveraged by the GELSEMIUM threat actor, as part of espionage operations”, Kaspersky.

What is a SessionManager?

It is developed in C++, SessionManager is a malicious native-code IIS module loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server.

These malicious modules generally look forward to seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request.

Malicious IIS module processing requests

The capabilities of the SesssionManager include:

  • Reading, writing to, and deleting arbitrary files on the compromised server.
  • Executing arbitrary binaries from the compromised server, also known as “remote command execution”.
  • Establishing connections to arbitrary network endpoints that can be reached by the compromised server, as well as reading and writing in such connections.

The report says; that though still investigating the attacks, Kaspersky found that most of the malware samples identified earlier were still deployed on 34 servers of 24 organizations (still running as late as June 2022).

Furthermore, months after the initial discovery, they were still not flagged as malicious by “a popular online file scanning service”. The tools that operators attempted to download and execute from SessionManager include a PowerSploit-based reflective loader for the Mimikatz DLL, Mimikatz SSP, ProcDump, and a legitimate memory dump tool from Avast.

To avoid detection by security products, researchers say SessionManager operators attempted additional malicious execution by running launcher scripts through the Windows services manager command line. From November 2021, operators tried to leverage custom PyInstaller-packed Python scripts to obfuscate command execution attempts.

Kaspersky security experts believe the SessionManager IIS backdoor was leveraged in these attacks by the Gelsemium threat actor as part of a worldwide espionage operation.

Since 2014, this hacking group has been active, when some of its malicious tools were spotted by G DATA’s SecurityLabs while investigating the “Operation TooHash” cyber-espionage campaign. In 2016, new Gelsemium indicators of compromise surfaced in a Verint Systems presentation during the HITCON conference.

According to Pierre Delcher, a Senior Security Researcher at Kaspersky, “The exploitation of exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021.”

“The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild. In the case of Exchange servers, we cannot stress it enough: the past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants if they were not already”, he added.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

How to Detecting Backdoors in Enterprise Networks

In today’s rapidly evolving cybersecurity landscape, enterprise networks face a particularly insidious threat: backdoors,...

Securing Windows Endpoints Using Group Policy Objects (GPOs): A Configuration Guide

Securing Windows endpoints is a top priority for organizations seeking to protect sensitive data...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

Bluetooth Core 6.1 Released – What’s New!

Bluetooth SIG’s decision to transition to a bi-annual release cadence marks a strategic pivot...