A stealthy new malware backdoor, called SessionManager by the security researchers who discovered it, has been identified together with the alarming timeline of its past use: over the entire 15 months since the last major Microsoft Exchange server zero-day exploit was first used to compromise tens of thousands of organizations worldwide.
SessionManager masquerades as a legitimate Internet Information Services (IIS) module—IIS being the default web server for Microsoft Exchange servers. Kaspersky security researchers have so far confirmed that 34 servers belonging to 24 different organizations of various types have all been running while infected with SessionManager since Spring 2021.
The power, persistence, and stealth offered by malicious IIS modules make them a favorite among attackers trying to establish backdoors on target systems. The malware responds to specially designed HTTP requests received by the infected systems which initiate email collection, add access paths, launch attacks against other systems, and more. These HTTP request triggers are indistinguishable from common requests for those who are not trained to identify the right characters.
Kaspersky researcher Pierre Delcher explained, “Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request.” Delcher went on to say, “As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.”
Below is a representation of the common command and control operations for SessionManager:
If SessionManager is active on a system, its controllers can also install additional tools, such as a PowerSploit-based reflective loader, Mimikat SSP, ProcDump, or an Avast memory dump tool that is designed to appear legitimate to security solutions. In the course of its research efforts, Kaspersky managed to assess a number of SessionManager versions, which indicate the malicious users have adjusted functionality to improve its efficacy over time. Below are the features of the latest version:
(SM_SESSION Cookie Value)
FILEPATH: path of file to be read. FILEPOS1: offset at which to start reading, from file start.
FILEPOS2: maximum number of bytes to read.
Read the content of a file on the compromised server and send it to the operator as an HTTP binary file named cool.rar.
FILEPATH: path of file to be written.
FILEPOS1: offset at which to start writing.
FILEPOS2: offset reference.
FILEMODE: requested file access type.
Write arbitrary content to a file on the compromised server. The data to be written in the specified file is passed within the HTTP request body.
FILEPATH: path of file to be deleted.
Delete a file on the compromised server.
FILEPATH: path of file to be measured.
Get the size (in bytes) of the specified file.
Run an arbitrary process on the compromised server. The process to run and its arguments are specified in the HTTP request body using the format: <executable path>\t<arguments>. The standard output and error data from process execution are sent back as plain text to the operator in the HTTP response body.
Check for SessionManager deployment. The “Wokring OK” (sic.) message will be sent to the operator in the HTTP response body.
S5HOST: hostname to connect to (exclusive with S5IP).
S5PORT: offset at which to start writing.
S5IP: IP address to connect to if no hostname is given (exclusive with S5HOST).
S5TIMEOUT: maximum delay in seconds to allow for connection.
Connect from compromised host to a specified network endpoint, using a created TCP socket. The integer identifier of the created and connected socket will be returned as the value of the S5ID cookie variable in the HTTP response, and the status of the connection will be reported in the HTTP response body.
S5ID: identifier of the socket to write to, as returned by S5CONNECT.
Write data to the specified connected socket. The data to be written in the specified socket is passed within the HTTP request body.
S5ID: identifier of the socket to read from, as returned by S5CONNECT.
Read data from the specified connected socket. The read data is sent back within the HTTP response body.
S5ID: identifier of the socket to close, as returned by S5CONNECT.
Terminate an existing socket connection. The status of the operation is returned as a message within the HTTP response body.
SessionManager is a second-stage exploitation tool, used after other Microsoft Exchange vulnerabilities such as ProxyLogon have been exploited. The range of confirmed targets include government agencies, military entities, non-government organizations (NGOs), and businesses across the continents of Europe, Africa, Asia, and South America.
The confidence rating assigned by the Kaspersky for attribution of the attacks the researchers have studied is “medium-to-high” for a threat actor dubbed Gelsemium, based on similarities in the victim profiles and in the code used in SessionManager and past campaigns.
Incident response is a complicated process for infections of this nature, and threat hunting experts may need to be called in by organizations that have been compromised to ensure the unauthorized access is fully eradicated. Still, having a robust incident response plan and training key personnel on their roles and responsibilities goes a long way toward reducing risks associated with these types of attacks. Webcheck Security can assist your organization with an analysis of its incident response plan and other components of its security program. Contact Webcheck today for a free quote for these and other security services.
Author: Webcheck Fractional CISO, Ben Card