Kaspersky has revealed a “misdetected backdoor” it calls SessionManager that has been used against organizations in Africa, South Asia, Europe and the Middle East since at least March 2021.
“The SessionManager backdoor allows attackers to maintain persistent, update-resistant, and rather stealthy access to a targeted organization’s IT infrastructure,” Kaspersky says.(Opens in a new window). “Once introduced into the victim’s system, the cybercriminals behind the backdoor can access company emails, update other malicious access by installing other types of malware, or clandestinely manage servers compromise, which can be exploited as malicious infrastructure.”
SessionManager itself is a module for Internet Information Services(Opens in a new window) (IIS) Web server tool from Microsoft. Kaspersky says(Opens in a new window) the backdoor is an IIS module that monitors “seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators’ hidden instructions where appropriate, and then transparently passes the request to the server to be served.” treated like any other request.” All of this would make SessionManager quite difficult to detect.
Kaspersky notes that SessionManager doesn’t seem to do anything malicious – the purpose of a web server is to monitor HTTP requests. Anyone who doesn’t expect a server to receive these requests probably isn’t running IIS. (At least not in a configuration susceptible to such an attack.) The company says SessionManager files are also “often placed in overlooked locations that contain many other legitimate files” to make detection even more difficult.
“Overall, 34 servers from 24 organizations in Europe, the Middle East, South Asia and Africa were compromised by SessionManager,” Kaspersky says. “The threat actor operating SessionManager shows particular interest in NGOs and government entities, but medical organizations, oil companies, transportation companies, among others, have also been targeted.”
Recommended by our editors
Various factors, including the attempted use of malware called OwlProxy and the organizations targeted by SessionManager backdoors, led Kaspersky to attribute at least some of these activities to a group called Gelsemium. Lab52 published a report(Opens in a new window) on OwlProxy; ESET has published a white paper(Opens in a new window) describing previous activity of Gelsemium. Kaspersky notes that Gelsemium may not be the only group to use SessionManager, so this attribution is uncertain.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.