Kaspersky has revealed a “low-detectable backdoor” it calls SessionManager that has been used against organizations in Africa, South Asia, Europe and the Middle East since at least March 2021.
The SessionManager backdoor enables threat actors to maintain persistent, resilient access to updates and, instead, anonymous access to a target organization’s IT infrastructure. Says(Opens in a new window). “Once inside the victim’s system, cybercriminals operating behind the backdoor can access company emails, update malicious access by installing other types of malware, or secretly manage compromised servers, which can be leveraged as malicious infrastructure.”
SessionManager itself is a file module Internet Information Services(Opens in a new window) (IIS) Microsoft Web Server Tool. Kaspersky Says(Opens in a new window) A backdoor is an IIS module that monitors “seemingly legitimate but tailored HTTP requests from its operators, launches actions based on operators’ hidden instructions if any, and then transparently passes the request to the server until it is processed just like any other request.” All this is said to make SessionManager difficult to detect.
Kaspersky notes that SessionManager does not appear to be doing anything malicious — the web server is meant to monitor HTTP requests. Anyone who does not expect the server to receive these requests will likely not be running IIS. (At least not in a configuration vulnerable to such an attack.) The company says SessionManager files are also “often placed in overlooked locations that contain a lot of other legitimate files” to make detection more difficult.
“Overall, 34 servers from 24 organizations from Europe, the Middle East, South Asia and Africa were hacked by SessionManager,” Kaspersky says. “The threat actor who runs SessionManager shows a particular interest in NGOs and government agencies, but medical organizations, oil companies, transportation companies, and others have also been targeted.”
Recommended by our editors
A variety of factors, including an attempt to use malware called OwlProxy and targeted organizations using SessionManager backdoors, have led Kaspersky to attribute at least some of these activities to a group called Gelsemium. Lab52 posted a file Report(Opens in a new window) on OwlProxy; ESET has published a file White papers(Opens in a new window) Describes Gelsemium’s previous activity. Kaspersky notes that Gelsemium may not be the only group using SessionManager, however, this attribution is uncertain.
Like what are you reading?
sign for Security Monitor A newsletter of our top privacy and security stories delivered straight to your inbox.