Microsoft Exchange servers hit with new ‘stealthy’ backdoor

1 Jul 2022

Image: © wachiwit/

Kaspersky said the SessionManager malware is hard to detect and is still deployed in more than 90pc of targeted organisations.

A new malware has been detected that has been used to backdoor Microsoft Exchange servers belonging to government and other organisations around the world, according to Kaspersky Lab.

The Russian cybersecurity provider said this backdoor lets threat actors keep persistent, update-resistant and “stealth” access to the IT infrastructure of a targeted organisation.

Kaspersky researchers first detected the malware, named SessionManager, in early 2022 as a malicious module for Microsoft’s Internet Information Services (IIS).

They said the malware has a poor detection rate, as some of the backdoor samples had not been flagged as malicious by some of the most popular online file scanning services.

Once the backdoor is in a victim’s system, Kaspersky said it can be used to gain access to company emails, install other types of malware or subtly manage the compromised servers, which can be used as malicious infrastructure for the cyberattacker.

The cybersecurity provider said it found 24 organisations from Europe, the Middle East, south Asia and Africa that have been compromised by SessionManager.

The threat actor behind the malware has shown a “special interest” in NGOs and government entities, it added, but medical organisations, oil companies, transportation companies and other groups have also been targeted.

A map of the world with some countries highlighted in green. Used to represent where organisations have been targeted by the SessionManager malware.

Map of organisations targeted by SessionManager. Image: Kaspersky Labs

“To date, SessionManager is still deployed in more than 90pc of targeted organisations according to an internet scan carried out by Kaspersky researchers,” the Russian company said in a blogpost yesterday (30 June).

Kaspersky shared recommended ways for organisations to protect themselves, such as conducting regular checks of loaded ISS modules, using endpoint security services and having a focused defence strategy to detect lateral movements and data exfiltration.

Pierre Delcher, a senior security researcher at Kaspersky, said the exploitation of exchange server vulnerabilities has become a “favourite” for cybercriminals looking to get into targeted infrastructure.

“In the case of Exchange servers, we cannot stress it enough, the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already.”

Kaspersky Lab took a hit earlier this year when it was designated a national security threat by the US Federal Communications Commission. This designation prevents US businesses from using federal subsidies to purchase products or services from the company.

“This decision is not based on any technical assessment of Kaspersky products – that the company continuously advocates for – but instead is being made on political grounds,” the company said in a statement at the time.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic