New SessionManager backdoor used by hackers to target MS Exchange

July 8, 2022
Session Manager Backdoor Malware Hacker Microsoft Exchange Server IIS Web Server

Malicious threat actors are utilising a newly uncovered malware called SessionManager, which can backdoor the servers of Microsoft Exchange. The targeted servers belonged to military and government companies based in the Middle East, Asia, Africa, and Europe.

According to the researchers, the SessionManager was first spotted by them in a recent campaign this year. The backdoor is a native-code module for Microsoft’s Internet Information Services web server software.

Furthermore, the SessionManager backdoor enables the malicious threat actors an update-resistant, persistent, and elusive access to the IT infrastructure of the targeted entity. Once the adversary drops the SessionManager inside the target’s system, they can use it to access company emails and update malicious entries by installing several payloads.

The backdoor can also use an Internet Information Services (ISS) module to deliver additional malware payloads such as the Mimikatz SSP, ProcDump, Avast memory dump tool, and Mimikatz reflective loader based on PowerSploit.

The malicious threat actors can also manage infected servers and exploit them as a hostile infrastructure. Researchers indicated that the SessionManager attacks were used in the wild without any trace of abuse since March last year. The attack commenced after the Chinese threat groups exploited the ProxyLogon flaws to attack the same Microsoft Exchange servers.


The SessionManager group may be linked to the Gelsemium threat group for cyber espionage attacks.


Cybersecurity experts stated that the victimology of the SessionManager backdoor overlaps the threat selection of the OwlProxy. Hence, the SessionManager backdoor may be affiliated with the Gelsemium threat group as part of an ongoing espionage campaign globally.

Moreover, both backdoor drops and manages arbitrary files on infected servers and remote command execution (RCE) on infected devices. Furthermore, it can be utilised by the threat actors to link endpoints inside the target’s local network and influence the network traffic.

The Internet Information Services (IIS) module then gathers essential credentials from system memory and harvests troves of data from the victims’ devices and networks.

Today, the malicious threat actors are heavily attacking the Microsoft Exchange servers with unpatched flaws. Companies and organisations should update their unpatched MS Exchange servers with the latest fixes. Lastly, employing threat intelligence services for better threat mitigation is also suggested.

About the author

Leave a Reply