Kaspersky discovers a new backdoor targeting Microsoft Exchange servers

Kaspersky security experts have discovered new backdoor malware, dubbed ‘SessionManager,’ targeting Microsoft Exchange servers belonging to several organizations worldwide.

 

The malware, which the company first spotted in early 2022, enables threat actors to keep persistent, update-resistant, and stealth access to a targeted organization’s IT infrastructure.

 

Kaspersky wrote in an advisory on Thursday that once it had spread, SessionManager would have allowed a variety of malicious activities, from email collection to total command over the infrastructure of the victim.

 

According to the security researchers’ analyses, SessionManager’s threat actors (TA) first appeared in late March 2021. According to Kaspersky, thirty-four servers from 24 organizations in Africa, South Asia, Europe, and the Middle East would have been affected, with the majority of them still infected.

 

NGOs and government organizations are particularly interested in the threat actor behind SessionManager, but other targets include transportation, oil, and medical organizations. Additionally, Kaspersky cautioned that SessionManager’s low detection rate by antivirus software is a distinguishing feature.

 

According to a Kaspersky Internet scan, SessionManager is still used in more than 90% of the targeted organizations today. SessionManager shares similarities with “Owowa,” a previously unidentified internet information services (IIS) module that stole login credentials entered by a user when logging into Outlook Web Access, according to security experts who investigated the matter of attribution (OWA).

 

According to Kaspersky, threat actors who previously exploited a vulnerability of the “ProxyLogon-type” within Microsoft Exchange servers have shown a trend toward installing backdoors within IIS. Combined with the widespread “OwlProxy” variant, these similarities led Kaspersky to conclude that the Gelsemium threat actor may have used the malicious IIS module in their advisory.