AL2022_44 Attackers used a newly discovered malware to backdoor Microsoft Exchange servers (5th July 2022)

Description 

The Malware is called SessionManager, it is a malicious native-code module within Microsoft's Internet Information Services (IIS), a popular web server software that is part of Exchange systems. 

Summary 

The SessionManager backdoor allows threat actors to maintain persistent, update-resistant, and stealth access to a targeted organization's IT infrastructure. Once inside the victim's system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malwares, or secretly manage compromised servers that can be used as malicious infrastructure. SessionManager's capabilities include, among other things, the following: 

  • dropping and managing arbitrary files on compromised servers 

  • remote command execution on backdoored devices 

  • connecting to and manipulating network traffic on the victim's local network 

How it works 

Following installation, the malicious IIS module allows its operators to harvest credentials from system memory, collect data from the victims' networks and infected devices, and deliver additional payloads (such as a PowerSploit-based Mimikatz reflective loader, Mimikatz SSP, ProcDump, and a legitimate Avast memory dump tool). 

Remediation 

The Guyana National CIRT recommends checking loaded IIS modules on exposed IIS servers on a regular basis and focusing on detecting lateral movement and data exfiltration within the system, with special attention paid to outgoing traffic. 

PDF Download: Newly discovered malware used to backdoor Microsoft Exchange servers.pdf

References