Kaspersky recently reported on SessionManager, a difficult to detect backdoor targeting governments and NGOs in multiple countries.
- SessionManager is a difficult to detect backdoor written in C++.
- SessionManager has targeted multiple organizations in Asia, Europe, South America, and the Middle East.
- Kaspersky has tentatively attributed SessionManager to the Gelsemium threat actor group.
SessionManager, active since at least March 2021, is a backdoor written in C++ and primarily targets governments and NGOs in multiple regions. Victims include 24 organizations in Argentina, Armenia, China, Djibouti, Equatorial Guinea, Eswatini, Hong Kong, Indonesia, Kenya, Kuwait, Malaysia, Nigeria, Pakistan, Poland, Russia, Saudi Arabia, Taiwan, Thailand, Turkey, UK, and Vietnam. Entities in other verticals were also targeted, including those in the military, medical, oil and gas, electricity, shipbuilding, sales, and transportation verticals.
According to Kaspersky, SessionManager was set up as a malicious module in Internet Information Services (IIS), a popular web server. SessionManager is loaded by some IIS applications to process HTTP requests. SessionManager relies on seemingly legitimate HTTP requests crafted by the threat actors to trigger actions. Since the module obscures malicious activity, it allows the activity to evade detection.
Kaspersky analyzed four SessionManger variants. SessionManager allows a threat actor to maintain persistent, update-resistant, stealth access to a victim’s infrastructure. It gives threat actors a wide range of capabilities, including reading and writing arbitrary files, remote code execution, establishing connections to arbitrary network endpoints, stealing emails, installing additional payloads, and obtaining complete control over a victim’s infrastructure.
According to Kaspersky, approximately 90 percent of the organizations infected with SessionManager are still compromised. SessionManager is notoriously difficult to detect. Based on victim targeting and the use of OwlProxy, Kaspersky has tentatively attributed SessionManager activity to the threat actor group known as Gelsemium and notes SessionManager may be actively used by other threat actors as well.
Who is Gelsemium?
According to ESET, Gelsemium is an espionage-focused threat actor group active since at least 2014. Gelsemium’s past targets have included governments, religious organizations, universities, and electronics manufacturers in East Asia and the Middle East. ESET attributed the Operation Nightscout BigNox supply chain attacks to Gelsemium. Gelsemium was also responsible for Operation TooHash. Gelsemium TTPs include Cohhoc RAT, spearphishing, maldocs, exploiting CVE-2012-0158, Directsx rootkit, watering hole attacks, China Chopper, Mimikatz, Gelsemine dropper, Gelsenicine loader, Gelsevirine plugin, OwlProxy, Chrommme backdoor, and others.
PolySwarm has multiple samples of SessionManager.
You can use the following CLI command to search for all SessionManager samples in our portal:
$ polyswarm link list -f SessionManager
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports