Kaspersky finds SessionManager backdoor left by malware in IIS/Exchange servers worldwide

Sicherheit (Pexels, allgemeine Nutzung)[German]Security vendor Kaspersky has come across a little-known backdoor, undetected by antivirus solutions, that leaves malware on Microsoft Exchange servers in the IIS module. There are infections of the so-called SessionManager backdoor in Exchange systems worldwide. The SessionManager backdoor enables a wide range of malicious activities, from collecting emails to taking complete control over the victim's infrastructure. The newly discovered backdoor was first deployed in late March 2021 and has hit government and non-government organizations in Africa, South Asia, Europe and the Middle East. Most of the organizations attacked remain compromised to this day.


The topic came under my eye several times right away, for example at Bleeping Computer, which links to this Kaspersky press release, but also in the following tweet from Catalin Cimpanu, which links to this article from Kaspersky.    

SessionManager-Backdoor in IIS/Exchange Server

The current trend is for cybercriminals to attempt to implement a backdoor in the IIS of Exchange servers in order to then launch their activities. Back in December 2021, Kaspersky discovered "Owowa", a previously unknown IIS module that steals the credentials a user enters when logging into Outlook Web Access (OWA). Since then, Kasperky experts have been on the lookout for similar backdoors that exploit one of the ProxyLogon vulnerabilities in Microsoft Exchange servers. During a recent investigation, Kaspersky experts came across a new unwanted module backdoor called SessionManager.

The SessionManager backdoor allows threat actors to gain persistent, update-resistant and rather unobtrusive access to a target company's IT infrastructure. Once injected into the victim's system, the cybercriminals can use the backdoor to access corporate emails, update further malicious access by installing other types of malware, or secretly manage compromised servers that can be used as malicious infrastructure.

A distinctive feature of SessionManager is its low detection rate, the security researchers write. Some of the backdoor samples discovered by Kaspersky researchers in early 2022 were still not classified as malicious by most popular online file scanning services. According to an Internet survey conducted by Kaspersky researchers, SessionManager is still in use in more than 90% of affected organizations.


In total, 34 servers from 24 organizations in Europe, the Middle East, South Asia and Africa were compromised by SessionManager. The threat actor running SessionManager shows a particular interest in non-governmental organizations and government institutions, but medical organizations, oil companies, transportation companies and others were also attacked.

Due to certain similarities and the use of the common "OwlProxy" variant, Kaspersky experts assume that the malicious IIS module was used by the GELSEMIUM threat actor as part of its espionage operations. Details and recommended actions can be found in this Kaspersky article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.