Session Manager Backdooring Microsoft Exchange server

Attackers using a new SessionManager backdoor, which can be used to gain persistent, undetected access to emails and even take over the target organization’s infrastructure.

Researchers reported the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services for Windows, like Exchange servers.

The malicious SessionManager backdoor, first observed in March 2021, has been used to target NGOs across Africa, Europe, the Middle East, and South Asia.

Once SessionManager is deployed, operators use it to profile the infected environment further, gather passwords stored in memory, and install additional tools, including a PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool. The backdoor will allow for persistent, update-resistant and stealth access

Session Manager appears to be difficult to detect. According to a latest scan report researchers, the malware is still present in the systems of 90% of companies which were alerted to its presence when Session Manager was first discovered earlier this year.

It is recommended for regular threat hunting of malicious modules in exposed ISS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet.