Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Hackers have been using a new piece of malware to back door Microsoft Exchange servers for the past 15 months

2 min. read

Published onJuly 1, 2022

published onJuly 1, 2022

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

According to ablog post by Ars Technica, researchers have identified a new piece of malware dubbed SessionManager that hackers have been using to back door Microsoft Exchange servers for the past 15 months.

Internet Information Services (IIS) is installed as the web server by default on Exchange servers, which organizations use to “deploy IIS modules to streamline specific processes on their web infrastructure”. The malware in return then exploited this and then presented itself as as legitimate module.

Based on information gathered by researchers from Kaspersky, “34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021”. Earlier in June, Kaspersky had indicated that 20 of the organizations still remained affected by the malware.

SessionManager provide “an ideal means to deploy powerful, persistent, and stealthy backdoors”. This means that they get to respond to specifically crafted HTTP requests sent by the operator, which in return helps the hackers gain crucial information from emails and expedites their access. It is quite difficult for one to tell the regular HTTP requests from these malicious ones.

According to theblog post, “Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request,” Kaspersky researcher Pierre Delcher wrote. “As a result, such modules are not easily spotted by usual monitoring practices: they do not necessarily initiate suspicious communications to external servers, receive commands through HTTP requests to a server that is specifically exposed to such processes, and their files are often placed in overlooked locations that contain a lot of other legitimate files.”

The malware then takes control over your device where the user can now get access to the passwords stored in your memory and even get to install additional tools such as PowerSploit-based reflective loader, Mimikat SSP, ProcDump, and a legitimate Avast memory dump tool.

Kaspersky has further indicated that they speculate a group of hackers identified as Gelsemium could be behind SessionManager. They have also highlighted that it is a complicated process to workaround this issue.

Radu Tyrsina

Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).

For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.

Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Radu Tyrsina