"New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild"

A newly discovered malware dubbed SessionManager has been used in the wild since at least March 2021 to backdoor Microsoft Exchange servers belonging to various entities worldwide, with infections still present in 20 organizations as of June 2022. After exploiting one of the ProxyLogon flaws in Exchange servers, SessionManager masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems. Those that have been targeted by SessionManager include 24 different NGOs, government, military, and industrial organizations across Africa, South America, Asia, Europe, Russia, and the Middle East. A SessionManager variant has compromised a total of 34 servers to date. SessionManager, which is referred to as a "lightweight persistent initial access backdoor," can read, write, and delete arbitrary files, as well as run server-side binaries and establish communications with other endpoints within a network. The malware also serves as a covert channel for reconnaissance, gathering in-memory passwords, and delivering additional tools such as Mimikatz and an Avast memory dump utility. This article continues to discuss findings surrounding the capabilities and techniques of the SessionManager backdoor. 

THN reports "New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild"