The Malware is called SessionManager, it is a malicious native-code module within Microsoft's Internet Information Services (IIS), a popular web server software that is part of Exchange systems.
The SessionManager backdoor allows threat actors to maintain persistent, update-resistant, and stealth access to a targeted organization's IT infrastructure. Once inside the victim's system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malwares, or secretly manage compromised servers that can be used as malicious infrastructure. SessionManager's capabilities include, among other things, the following:
dropping and managing arbitrary files on compromised servers
remote command execution on backdoored devices
connecting to and manipulating network traffic on the victim's local network
How it works
Following installation, the malicious IIS module allows its operators to harvest credentials from system memory, collect data from the victims' networks and infected devices, and deliver additional payloads (such as a PowerSploit-based Mimikatz reflective loader, Mimikatz SSP, ProcDump, and a legitimate Avast memory dump tool).
The Guyana National CIRT recommends checking loaded IIS modules on exposed IIS servers on a regular basis and focusing on detecting lateral movement and data exfiltration within the system, with special attention paid to outgoing traffic.
PDF Download: Newly discovered malware used to backdoor Microsoft Exchange servers.pdf
Gatlan, S. (2022, July 1). Microsoft Exchange servers worldwide backdoored with new malware. Retrieved from BleepingComputer.
Glover, C. (2022, July 1). SessionManager malware provides backdoor into Microsoft Exchange servers. Retrieved from Tech Monitor.
Kaspersky. (2022, June 29). Kaspersky discovers poorly detected backdoor, targeting governments and NGOs around the globe. Retrieved from Www.Kaspersky.Com.
Lakshmanan, R. (2022, July 1). New “SessionManager” Backdoor Targeting Microsoft IIS Servers in the Wild. Retrieved from The Hacker News.