SessionManager Detection: Newly Discovered Backdoor Allows for RCE

SessionManager backdoor first surfaced around Spring 2021, targeting Microsoft IIS Servers. The malware samples were first investigated only in early 2022.

The recently exposed backdoor has affected more than 20 governmental and non-governmental entities across Africa, South Asia, South America, the Middle East, and Europe. Security researchers speculate that some artifacts indicate that the attacks may be initiated by Gelsemium APT.

The backdoor exploits one of the ProxyLogon security holes in Exchange servers and disguises itself as a module for Internet Information Services (IIS), a web server application for Windows PCs.

Detect SessionManager

SOC Prime’s platform curates the near real-time delivery of unique detection content addressing emerging threats to enable their timely detection. Utilize the dedicated Sigma rule crafted by our keen Threat Bounty Program developer, Kaan Yeniyol, to identify whether your system was compromised by a novel SessionManager backdoor:

Possible SessionManager IIS backdoor (June 2022) by Detections of Associated Files (via file_event)

By joining the ranks of the Threat Bounty Program, individual researchers and threat hunters can make their own contributions to collaborative cyber defense.

The detection rule above is aligned with the MITRE ATT&CK® framework v.10, addressing the Execution tactic represented by the User Execution (T1204) technique, and can be used across 25 SIEM, EDR, and XDR platforms.

Make sure to sign up or log into the SOC Prime’s platform with your active account to explore other curated Sigma and YARA rules within the vast library of detection content. Click the Detect & Hunt button to learn more. 

Detect & Hunt Explore Threat Context

SessionManager Description

Coded in C++, SessionManager is a persistent initial access backdoor that enables attackers to manage files, run binaries from the server, drop malicious payloads, and access other endpoints in the compromised network while remaining undetected.

Once installed by IIS applications (required to handle the HTTP requests that are sent to the server), the SessionManager module processes HTTP requests from the hackers, executes the hidden instructions, and then passes them to the server to be processed like legitimate operations. According to the research data, the backdoor has been modified through numerous iterations, enhanced with sophisticated defensive evasion capabilities.

With the attacks becoming more sophisticated, leaving businesses vulnerable to data loss, it is crucial to invest time and resources in maturing your company’s cybersecurity posture. InfoSeC professionals are welcomed to join SOC Prime’s Detection as Code platform to detect the latest threats in your security environment, improve your log source and MITRE ATT&CK coverage, and enhance your organization’s ROI for cybersecurity.