Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Protect Your IIS Servers From The SessionManager Backdoor
July 5, 2022
|
6m

How To Protect Your IIS Servers From The SessionManager Backdoor


How To Protect Your Iis Servers From The Sessionmanager Backdoor

Recently, security engineers from Kaspersky detected a backdoor dubbed SessionManager. As per the report, the malware is created to target Microsoft IIS servers. Once deployed, the malware allows cyber criminals access to company emails and download additional malware to maintain persistent. The worst about the SessionManager backdoor is its poor detection rate. Most popular antivirus scan engines failed to detect most of the SessionManagers samples. Considering its severity and criticality in the infrastructure, we believe it is important to protect your IIS servers from the SessionManager backdoor.

Lets see how to protect your IIS servers from the SessionManager backdoor in this post. Before we talk about the protection, lets see some technical details about the SessionManager backdoor.

About The SessionManager Backdoor:

The SessionManager, which is written in C++, is a malicious native-code IIS module that is created to process legitimate HTTP requests going to the IIS server upon getting loaded by some IIS applications.

Practically, The SessionManager backdoor is difficult to identify with general monitoring techniques because it neither initiates suspicious communication to the external server nor receives commands from the remote servers as HTTP requests. Moreover, its files are placed in a location where legitimate files are placed.

Another reason that makes such backdoors hard to identify, according to Pierre Delcher, a security researcher, Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request.

Some of the capabilities of the SessionManager Backdoor are:

  1. The malware is able to perform read, write, and delete arbitrary files on the compromised IIS server.

  2. It can perform (RCE) Remote Command Execution on the victim server.

  3. SessionManager is capable of connecting other endpoints in the local area network and is able to read and modify such connections.

Considering its technical capabilities, its very important to protect your IIS servers from the SessionManager backdoor. To know more about the SessionManagers technical details with the working mechanism, please visit Securelist.com.

Victimology Of The SessionManager Backdoor:

The backdoor is identified in several countries in Europe, the Middle East, South Asia, and Africa. The malware has compromised one server per organization and one compromised organization per location; however, Vietnam is the main exception as several compromised servers from several organizations could be identified there. Its been said that there are still 20 organizations running a compromised server till the end of June 2022.

Pic: Picture by Kaspersky

The variant of the SessionManager backdoor is detected on 24 distinct organizations in Argentina, Armenia, China, Djibouti, Equatorial Guinea, Eswatini, Hong Kong, Indonesia, Kenya, Kuwait, Malaysia, Nigeria, Pakistan, Poland, the Russian Federation, Saudi Arabia, Taiwan, Thailand, Turkey, the United Kingdom, and Vietnam.

Cybercriminals are most likely targeted to infect government or military organizations. However, its also seen the malware targets international and national non-government organizations, electronic equipment manufacturers, shipbuilding companies, health care and surgery group,  local road transportation companies, state oil companies, state electricity companies, a sales kiosk manufacturer, and an ERP software editor.

How To Protect Your IIS Servers From The SessionManager Backdoor?

Considering the SessionManagers poor detection rates, there are chances of massive exploitations since March 2021. Practically, it is not an easy task to scan each and every IIS server deeply to identify the backdoor. Despite that, we suggest listing out all the loaded IIS modules in a running server and looking for malicious modules, and removing them to protect your IIS servers from the SessionManager backdoor.

To list the IIS modules on GUI:

  1. Click Start, type inetmgr in the Search box, and then press ENTER to open the IIS manager.

  2. Click the computer name of your IIS server.

  3. Click the Modules icon in the IIS category.

To remove the module from the application: 

Select the module in the list. Click Remove located in the Actions pane.

To list the IIS modules on CLI:

Run this command on CLI to list the modules enabled either for an application or globally:

Appcmd.exe list modules [/app.name:APPLICATION_NAME]

To disable a module either for a particular application or globally:

Appcmd.exe delete module MODULE_NAME [/app.name:APPLICATION_NAME]

To uninstall a module either for a particular application or globally:

Appcmd.exe uninstall module MODULE_NAME

In fact, deleting the module is not enough to protect your IIS servers from the SessionManager backdoor. You should follow these few steps:

Step 1. Take Memory Snapshot

Take a volatile memory snapshot of your IIS server.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options

Step 2. Stop the IIS server

Stop the server or disconnect the system from the public network.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj635851(v=ws.11)

Step 3. Tack the back up all files and logs

Take the back up all files and logs from the IIS server and ensure your backup file is not correpted.

Step 4. Remove all the reference of the malicious module from apps and server configurations

Manually remove the reference in XML files or review the associated IIS XML configuration files to ensure reference to the malicious modules have been removed.

Step 5. Update the IIS server and Windows OS

It is good to update both IIS server and Windows operating system to fix the security vulnerabilities and bugs.

Step 6. Restart the IIS server or the machine

Read this document to restart the IIS server: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj635851(v=ws.11)

Indicators Of Compromise Of  The SessionManager Backdoor:

SessionManager

  • 5FFC31841EB3B77F41F0ACE61BECD8FD

  • 84B20E95D52F38BB4F6C998719660C35

  • 4EE3FB2ABA3B82171E6409E253BDDDB5

  • 2410D0D7C20597D9B65F237F9C4CE6C9

Mimikatz runners

  • 95EBBF04CEFB39DB5A08DC288ADD2BBC

  • F189D8EFA0A8E2BEE1AA1A6CA18F6C2B

PyInstaller-packed process creation wrapper

  • 65DE95969ADBEDB589E8DAFE903C5381

OwlProxy variant samples

  • 235804E3577EA3FE13CE1A7795AD5BF9

  • 30CDA3DFF9123AD3B3885B4EA9AC11A8

Possibly related password stealer

  • 5F15B17FA0E88D40D4E426E53CF94549

Files paths

  • %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OWA\Auth\SessionManagerModule.dll

  • %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\SessionManagerModule.dll

  • %WINDIR%\System32\inetsrv\SessionManagerModule.dll

  • %WINDIR%\System32\inetsrv\SessionManager.dll

  • C:\Windows\Temp\ExchangeSetup\Exch.ps1

  • C:\Windows\Temp\Exch.exe

  • C:\Windows\Temp\vmmsi.exe

  • C:\Windows\Temp\safenet.exe

  • C:\Windows\Temp\upgrade.exe

  • C:\Windows\Temp\exupgrade.exe

  • C:\Windows\Temp\dvvm.exe

  • C:\Windows\Temp\vgauth.exe

  • C:\Windows\Temp\win32.exe

PDB Paths

  • C:\Users\GodLike\Desktop\t\t4\StripHeaders-master\x64\Release\sessionmanagermodule.pdb

  • C:\Users\GodLike\Desktop\t\t4\SessionManagerModule\x64\Release\sessionmanagermodule.pdb

  • C:\Users\GodLike\Desktop\t\t4\SessionManagerV2Module\x64\Release\sessionmanagermodule.pdb

  • C:\Users\GodLike\Desktop\t\t4\SessionManagerV3Module\x64\Release\sessionmanagermodule.pdb

  • C:\Users\GodLike\Desktop\t\t0\Hook-PasswordChangeNotify-master\HookPasswordChange\x64\Release\HookPasswordChange.pdb

IP addresses

  • 202.182.123[.]185 (Staging server, between 2021-03 and 04 at least)

  • 207.148.109[.]111 (Unidentified infrastructure)

We hope this post would help you know how to protect your IIS servers from the SessionManager backdoor. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

How To

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe