SessionManager is a malicious IIS module deployed by threat actors to create persistent access to a victim server. Malicious modules are often used to analyze incoming HTTP requests for specially crafted parameters in the HTTP header, while transparently passing on the request to the server to be processed like any other HTTP request. Such methods can make these modules very difficult to detect.
SessionManager is able to read, write, and delete arbitrary files on a compromised server, execute arbitrary binaries on a compromised server, and establish connections to arbitrary servers. Samples collected by Kaspersky indicate that SessionManager is under continuous development, based on compile dates found across the samples.
Command and Control (C2) is accomplished via HTTP request. The IIS module watches HTTP requests as they arrive; if a specially crafted cookie name is found in the request, SessionManager will activate and perform whatever function is associated with the value of that cookie name. For example, in the case of SM_SESSION=CMD, SM_SESSION is the cookie name, and the CMD value allows the malware operator to execute arbitrary commands provided in the HTTP request body using the format: <executable path>t<arguments>.
Once deployed, SessionManager is leveraged by operators to further profile the targeted environment, gather in-memory passwords and deploy additional tools. Additional tools loaded by SessionManager include a PowerSploit-based reflective loader for the Mimikatz DLL, Mimikatz SSP, ProcDump, and a memory dump tool from Avast which the operators use to attempt to read LSASS memory spaces for credential harvesting.
The first step for an organization to take to defend itself from SessionManager is ensuring that all Microsoft Exchange servers are up to date on the latest patches from Microsoft, as vulnerable Exchange Servers are the primary method used for the initial access needed to install SessionManager.
Systems administrators should audit all IIS modules, especially in environments that have suffered a ProxyLogon-based breach in the past. Auditing modules can be done by using the IIS Manager GUI or the IIS appcmd command line. If a malicious IIS module is discovered, Kaspersky researchers recommend the following:
• Take a volatile memory snapshot on the currently running system where IIS is executed. Request assistance from forensics and incident response experts if required.
• Stop the IIS server, and ideally disconnect the underlying system from publicly reachable networks.
• Back up all files and logs from the IIS environment, to retain data for further incident response. Check that the backups can be opened or extracted successfully.
• Using IIS Manager or the appcmd command tool, remove every reference of the identified module from apps and server configurations. Manually review associated IIS XML configuration files to make sure any reference to the malicious modules have been removed – manually remove the references in XML files otherwise.
• Update the IIS server and underlying operating system to make sure no known vulnerabilities remain exposed to attackers.
• Restart the IIS server and bring the system online again.