SessionManager Virus Targets Global Clients

Persistent Malware Hacked Microsoft Exchange Servers

Dark web hackers have launched a global hacking campaign against Microsoft’s Exchange servers, with clients in several countries being affected by a newly discovered virus, which launches persistent malware backdoors on the servers operated by the tech giant.

The worldwide hacking campaign was tracked to several countries where Europe, the Middle East, Asia, and Africa have reported being affected by a new virus. Through the malware backdoors, the criminal hackers infiltrated the Microsoft Exchange servers, which are utilized by different branches of the government, as well as worldwide military institutions.

Cyber security analysts tracking the recently discovered malware states that the malicious virus was created with a native-code module that mimics Microsoft’s Internet Information Services (IIS) web server software. Originally, discovered in the early part of 2022, it was identified by the Kaspersky research team that dubbed the persistent virus as SessionManager.

According to Kaspersky’s analysts, the SessionManager backdoor consistently provides threat actors stealth access to victims’ computer network databases. For many years, this zero-day vulnerability was used to accommodate this virus backdoor, which had been secretly utilized in the wild by criminal hackers. However, in March 2021, it was discovered that several IT infrastructures revealed that they were targeted in massive ProxyLogon assaults.

Targets for SessionManager

The security team revealed the main characteristics of the SessionManger virus; first it dumps a payload on the victim’s computer system, then provides the hackers’ access to business emails, and other private files. However, the most damaging capabilities include its ability to stealthily add new malicious software that upgrades its persistent entry point.

The researchers documented that SessionManager can covertly control compromised servers, and later utilize them as malicious infrastructures. In addition, its other capabilities include controlling arbitrary files on servers infiltrated by the danderous virus. Also, noted is its remote command execution ability, which it uses on backdoored gadgets connected to a compromised network. Subsequently, the victim’s network connected endpoints can also be used in traffic manipulation

With the installation of the SessionManager malicious IIS module, the hackers can steal passwords from system memory. The threat actors can also retrieve important data from infected devices’ networks. In addition, the criminals are able to distribute additional payloads (such as a PowerSploit-based Mimikatz reflective loader, Mimikatz SSP, ProcDump, and a legitimate Avast memory dump tool).

Kaspersky, who has tracked the majority of the malware samples discovered that 24 firms with a combined 34 servers are still investigating cyber attacks that occurred between April and June 2022. Furthermore, while the virus is still active, it remained undetected by some prominent file scanning services, even several months after it was reported by the cyber security team.

As a precautionary measure, the Kaspersky GReAT analysts warned that all Exchange servers must be carefully monitored for hidden backdoors by a cyber security team. Since malicious implants created through zero-day vulnerabilities have ideally been the targets of criminal hackers with malicious intent.