Kaspersky has revealed a "poorly detected backdoor" it calls SessionManager that has been used against organizations in Africa, South Asia, Europe, and the Middle East since at least March 2021.
"The SessionManager backdoor enables threat actors to keep persistent, update-resistant, and rather stealth access to the IT infrastructure of a targeted organization," Kaspersky says(Opens in a new window). "Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, update further malicious access by installing other types of malware, or clandestinely manage compromised servers, which can be leveraged as malicious infrastructure."
SessionManager itself is a module for the Internet Information Services(Opens in a new window) (IIS) web server tool from Microsoft. Kaspersky says(Opens in a new window) the backdoor is an IIS module that watches for "seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request." All of which reportedly makes SessionManager fairly difficult to detect.
Kaspersky notes that SessionManager doesn't appear to be doing anything malicious—the whole point of a web server is to watch for HTTP requests. Anyone who doesn't expect a server to receive those requests probably isn't running IIS. (At least not in a configuration susceptible to such an attack.) The company says that SessionManager's files are also "often placed in overlooked locations that contain a lot of other legitimate files" to make detection even more difficult.
"Overall, 34 servers of 24 organizations from
Read more on pcmag.com