Recently, security engineers from Kaspersky detected a backdoor dubbed SessionManager. As per the report, the malware is created to target Microsoft IIS servers. Once deployed, the malware allows cyber criminals access to company emails and download additional malware to maintain persistent. The worst about the SessionManager backdoor is its poor detection rate. Most popular antivirus scan engines failed to detect most of the SessionManager’s samples. Considering its severity and criticality in the infrastructure, we believe it is important to protect your IIS servers from the SessionManager backdoor.
Let’s see how to protect your IIS servers from the SessionManager backdoor in this post. Before we talk about the protection, let’s see some technical details about the SessionManager backdoor.
About The SessionManager Backdoor:
The SessionManager, which is written in C++, is a malicious native-code IIS module that is created to process legitimate HTTP requests going to the IIS server upon getting loaded by some IIS applications.
Practically, The SessionManager backdoor is difficult to identify with general monitoring techniques because it neither initiates suspicious communication to the external server nor receives commands from the remote servers as HTTP requests. Moreover, its files are placed in a location where legitimate files are placed.
Another reason that makes such backdoors hard to identify, according to Pierre Delcher, a security researcher, “Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request.”
Some of the capabilities of the SessionManager Backdoor are:
- The malware is able to perform read, write, and delete arbitrary files on the compromised IIS server.
- It can perform (RCE) Remote Command Execution on the victim server.
- SessionManager is capable of connecting other endpoints in the local area network and is able to read and modify such connections.
Considering its technical capabilities, it’s very important to protect your IIS servers from the SessionManager backdoor. To know more about the SessionManager’s technical details with the working mechanism, please visit Securelist.com.
Victimology Of The SessionManager Backdoor:
The backdoor is identified in several countries in Europe, the Middle East, South Asia, and Africa. The malware has compromised one server per organization and one compromised organization per location; however, Vietnam is the main exception as several compromised servers from several organizations could be identified there. It’s been said that there are still 20 organizations running a compromised server till the end of June 2022.
The variant of the SessionManager backdoor is detected on 24 distinct organizations in Argentina, Armenia, China, Djibouti, Equatorial Guinea, Eswatini, Hong Kong, Indonesia, Kenya, Kuwait, Malaysia, Nigeria, Pakistan, Poland, the Russian Federation, Saudi Arabia, Taiwan, Thailand, Turkey, the United Kingdom, and Vietnam.
Cybercriminals are most likely targeted to infect government or military organizations. However, it’s also seen the malware targets international and national non-government organizations, electronic equipment manufacturers, shipbuilding companies, health care and surgery group, local road transportation companies, state oil companies, state electricity companies, a sales kiosk manufacturer, and an ERP software editor.
How To Protect Your IIS Servers From The SessionManager Backdoor?
Considering the SessionManager’s poor detection rates, there are chances of massive exploitations since March 2021. Practically, it is not an easy task to scan each and every IIS server deeply to identify the backdoor. Despite that, we suggest listing out all the loaded IIS modules in a running server and looking for malicious modules, and removing them to protect your IIS servers from the SessionManager backdoor.
To list the IIS modules on GUI:
- Click Start, type inetmgr in the Search box, and then press ENTER to open the IIS manager.
- Click the computer name of your IIS server.
- Click the Modules icon in the IIS category.
To remove the module from the application:
Select the module in the list. Click Remove located in the Actions pane.
To list the IIS modules on CLI:
Run this command on CLI to list the modules enabled either for an application or globally:
Appcmd.exe list modules [/app.name:APPLICATION_NAME]To disable a module either for a particular application or globally:
Appcmd.exe delete module MODULE_NAME [/app.name:APPLICATION_NAME]To uninstall a module either for a particular application or globally:
Appcmd.exe uninstall module MODULE_NAMEIn fact, deleting the module is not enough to protect your IIS servers from the SessionManager backdoor. You should follow these few steps:
Time needed: 30 minutes.
How To Protect Your IIS Servers From The SessionManager Backdoor?
- Take Memory Snapshot
Take a volatile memory snapshot of your IIS server.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options - Stop the IIS server
Stop the server or disconnect the system from the public network.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj635851(v=ws.11) - Tack the back up all files and logs
Take the back up all files and logs from the IIS server and ensure your backup file is not correpted.
- Remove all the reference of the malicious module from apps and server configurations
Manually remove the reference in XML files or review the associated IIS XML configuration files to ensure reference to the malicious modules have been removed.
- Update the IIS server and Windows OS
It is good to update both IIS server and Windows operating system to fix the security vulnerabilities and bugs.
- Restart the IIS server or the machine
Read this document to restart the IIS server: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj635851(v=ws.11)
Indicators Of Compromise Of The SessionManager Backdoor:
SessionManager
- 5FFC31841EB3B77F41F0ACE61BECD8FD
- 84B20E95D52F38BB4F6C998719660C35
- 4EE3FB2ABA3B82171E6409E253BDDDB5
- 2410D0D7C20597D9B65F237F9C4CE6C9
Mimikatz runners
- 95EBBF04CEFB39DB5A08DC288ADD2BBC
- F189D8EFA0A8E2BEE1AA1A6CA18F6C2B
PyInstaller-packed process creation wrapper
- 65DE95969ADBEDB589E8DAFE903C5381
OwlProxy variant samples
- 235804E3577EA3FE13CE1A7795AD5BF9
- 30CDA3DFF9123AD3B3885B4EA9AC11A8
Possibly related password stealer
- 5F15B17FA0E88D40D4E426E53CF94549
Files paths
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OWA\Auth\SessionManagerModule.dll
- %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\SessionManagerModule.dll
- %WINDIR%\System32\inetsrv\SessionManagerModule.dll
- %WINDIR%\System32\inetsrv\SessionManager.dll
- C:\Windows\Temp\ExchangeSetup\Exch.ps1
- C:\Windows\Temp\Exch.exe
- C:\Windows\Temp\vmmsi.exe
- C:\Windows\Temp\safenet.exe
- C:\Windows\Temp\upgrade.exe
- C:\Windows\Temp\exupgrade.exe
- C:\Windows\Temp\dvvm.exe
- C:\Windows\Temp\vgauth.exe
- C:\Windows\Temp\win32.exe
PDB Paths
- C:\Users\GodLike\Desktop\t\t4\StripHeaders-master\x64\Release\sessionmanagermodule.pdb
- C:\Users\GodLike\Desktop\t\t4\SessionManagerModule\x64\Release\sessionmanagermodule.pdb
- C:\Users\GodLike\Desktop\t\t4\SessionManagerV2Module\x64\Release\sessionmanagermodule.pdb
- C:\Users\GodLike\Desktop\t\t4\SessionManagerV3Module\x64\Release\sessionmanagermodule.pdb
- C:\Users\GodLike\Desktop\t\t0\Hook-PasswordChangeNotify-master\HookPasswordChange\x64\Release\HookPasswordChange.pdb
IP addresses
- 202.182.123[.]185 (Staging server, between 2021-03 and 04 at least)
- 207.148.109[.]111 (Unidentified infrastructure)
We hope this post would help you know how to protect your IIS servers from the SessionManager backdoor. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
