SessionManager is a malicious IIS module deployed by threat actors to create persistent access to a victim server. Malicious modules are often used to analyze incoming HTTP requests for specially crafted parameters in the HTTP header, while transparently passing on the request to the server to be processed like any other HTTP request. Such methods can make these modules very difficult to detect.
SessionManager is able to read, write, and delete arbitrary files on a compromised server, execute arbitrary binaries on a compromised server, and establish connections to arbitrary servers. Samples collected by Kaspersky indicate that SessionManager is under continuous development, based on compile dates found across the samples.
Command and Control (C2) is accomplished via HTTP request. The IIS module watches HTTP requests as they arrive; if a specially crafted cookie name is found in the request, SessionManager will activate and perform whatever function is associated with the value of that cookie name. For example, in the case of SM_SESSION=CMD, SM_SESSION is the cookie name, and the CMD value allows the malware operator to execute arbitrary commands provided in the HTTP request body using the format: <executable path>\t<arguments>.
Once deployed, SessionManager is leveraged by operators to further profile the targeted environment, gather in-memory passwords and deploy additional tools. Additional tools loaded by SessionManager include a PowerSploit-based reflective loader for the Mimikatz DLL, Mimikatz SSP, ProcDump, and a memory dump tool from Avast which the operators use to attempt to read LSASS memory spaces for credential harvesting.