Executive Summary
Kaspersky recently reported on SessionManager, a difficult to detect backdoor targeting governments and NGOs in multiple countries.
Key Takeaways
- SessionManager is a difficult to detect backdoor written in C++.
- SessionManager has targeted multiple organizations in Asia, Europe, South America, and the Middle East.
- Kaspersky has tentatively attributed SessionManager to the Gelsemium threat actor group.
What is SessionManager?
SessionManager, active since at least March 2021, is a backdoor written in C++ and primarily targets governments and NGOs in multiple regions. Victims include 24 organizations in Argentina, Armenia, China, Djibouti, Equatorial Guinea, Eswatini, Hong Kong, Indonesia, Kenya, Kuwait, Malaysia, Nigeria, Pakistan, Poland, Russia, Saudi Arabia, Taiwan, Thailand, Turkey, UK, and Vietnam. Entities in other verticals were also targeted, including those in the military, medical, oil and gas, electricity, shipbuilding, sales, and transportation verticals.
According to Kaspersky, SessionManager was set up as a malicious module in Internet Information Services (IIS), a popular web server. SessionManager is loaded by some IIS applications to process HTTP requests. SessionManager relies on seemingly legitimate HTTP requests crafted by the threat actors to trigger actions. Since the module obscures malicious activity, it allows the activity to evade detection.
Kaspersky analyzed four SessionManger variants. SessionManager allows a threat actor to maintain persistent, update-resistant, stealth access to a victim’s infrastructure. It gives threat actors a wide range of capabilities, including reading and writing arbitrary files, remote code execution, establishing connections to arbitrary network endpoints, stealing emails, installing additional payloads, and obtaining complete control over a victim’s infrastructure.
According to Kaspersky, approximately 90 percent of the organizations infected with SessionManager are still compromised. SessionManager is notoriously difficult to detect. Based on victim targeting and the use of OwlProxy, Kaspersky has tentatively attributed SessionManager activity to the threat actor group known as Gelsemium and notes SessionManager may be actively used by other threat actors as well.
Who is Gelsemium?
According to ESET, Gelsemium is an espionage-focused threat actor group active since at least 2014. Gelsemium’s past targets have included governments, religious organizations, universities, and electronics manufacturers in East Asia and the Middle East. ESET attributed the Operation Nightscout BigNox supply chain attacks to Gelsemium. Gelsemium was also responsible for Operation TooHash. Gelsemium TTPs include Cohhoc RAT, spearphishing, maldocs, exploiting CVE-2012-0158, Directsx rootkit, watering hole attacks, China Chopper, Mimikatz, Gelsemine dropper, Gelsenicine loader, Gelsevirine plugin, OwlProxy, Chrommme backdoor, and others.
IOCs
PolySwarm has multiple samples of SessionManager.
500905187d6b2d387fed36c8a1a51f8a2d58ebcb0829c81cea81ad08d3d35686
2a0b83c316219ed8c7ce1d14edf09794fa76a71cb04348d2a332991f3fceab2b
40de45ea45d352703a19c4a5b07013c5e748d831e9f67111a776566463c0fbd3
4ba880c1080b2bb71989b267576f145fe5500a5672f73750bfcefb72a3d4c651
You can use the following CLI command to search for all SessionManager samples in our portal:
$ polyswarm link list -f SessionManager
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports