New IIS Web Server Backdoor: SessionManager

VTA-00419 – New IIS Web Server Backdoor: SessionManager

Following the ProxyLogon-type vulnerability within Microsoft Exchange servers, many backdoors were attempted to be deployed into IIS web servers, and one of such backdoors was discovered in early 2022 dubbed as SessionManager. This backdoor was observed to be triggered by seemingly non-malicious, legitimate albeit specially crafted HTTP request from the threat actors. 

The capabilities of SessionManager include ability to read, write and delete arbitrary files on the targeted servers, perform remote command executions on compromised servers, and establishing connections to network endpoints that are reachable by the compromised servers, and further compromising those endpoints. The backdoor has also been updated through several versions with addition of defense evasion capabilities incorporated by implementing XOR key encoding on the values sent from SessionManager to the threat actors. 

In post-deployment scenarios, SessionManager has been observed to gather in-memory passwords and deploy additional tools such as Avast memory dump tool with the intention to read the memory of LSASS process, which provides access to collect authentication secrets on the compromised servers. SessionManager also attempts to avoid detection through command execution obfuscation by leveraging custom python scripts.


Attack Surfaces:
Web Application

Collection, Command and Control, Credential Access, Defense Evasion, Discovery, Exfiltration, Impact, Initial Access

Drive-by Compromise, Deobfuscate/Decode Files or Information, Indirect Command Execution, Credentials from Password Stores, Network Service Discovery, Data from Local System, Exfiltration Over C2 Channel, Data Manipulation, Application Layer Protocol

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Isolation, Network Manipulation, Network Monitoring, Security Controls, Software Manipulation, System Activity Monitoring

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. To add the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname, if necessary 
2. To actively monitor loaded IIS modules instances by using IIS Manager GUI or IIS appcmd command line to look for malicious modules 
3. To stop the IIS Server if malicious instances are found, and if possible disconnect the underlying system from public network access 
4. To use IIS Manager or the appcmd command tool, remove every malicious modules from apps and server configurations 
5. To update the IIS server to the latest version to avoid ProxyLogon-type vulnerability exploitations

Contributed by:  Izzy

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>