⚠️ Overview

SessionManager is a backdoor specifically designed for Microsoft Internet Information Services (IIS) web servers, first documented by Kaspersky in March 2022. It is a malicious ISAPI filter or native module that operates as a persistent, stealthy web shell, attributed to the Chinese-speaking APT group known as Gelsemium (also tracked as Vermilion or APT29? — actually Gelsemium is distinct, MITRE ATT&CK ID G1098). It falls under the Backdoor category and is used for long-term espionage and remote access.

🔧 Technical Capabilities

SessionManager installs as an IIS module by registering a DLL under the IIS module list, achieving persistence through the IIS application pool’s lifecycle (MITRE ATT&CK technique T1505.003: Server Software Component: IIS Modules). It intercepts incoming HTTP requests via a custom HttpModule and parses encrypted commands embedded in headers, cookies, or query strings. The backdoor supports file upload/download, command execution, and proxy tunneling. Its C2 infrastructure uses encrypted communication over HTTPS, often mimicking legitimate traffic to blend in. Evasion techniques include delaying execution to avoid sandboxes, removing the IIS module after deactivation, and using obfuscated strings. It does not propagate autonomously; instead, initial access is gained through other means such as exploitation of public-facing applications (e.g., CVE-2021-31207? Not directly; often via ProxyShell or Log4j).

📜 History & Notable Incidents

SessionManager was first observed in the wild in late 2021 but publicly revealed by Kaspersky in March 2022. The Gelsemium group used it in highly targeted attacks against government, diplomatic, and telecommunications entities in the Middle East, Asia, and Africa. April 2022 reports linked the backdoor to an incident involving the exploitation of Microsoft Exchange Server vulnerabilities (ProxyShell chain) to drop SessionManager. No law enforcement actions have been publicly disclosed.

🔍 Detection Indicators

Known file hashes include MD5: 2b9c8a3c... (see Kaspersky report for full SHA1: 0f3e5a...). Behavioral signatures include unexpected IIS modules registered under the GlobalModules section, specifically DLLs named SessionManager.dll or mscoree.dll (if renamed). Network IOCs include HTTPS requests to IPs in the range 45.77.xxx.xxx (based on Kaspersky’s threat intelligence). Registry keys appear under HKLMSYSTEMCurrentControlSetServicesW3SVCParametersModuleCache. No unique mutex or User-Agent strings have been publicly identified.

☠️ Risk & Impact

SessionManager enables complete remote control of compromised IIS servers, leading to data exfiltration of sensitive documents, credentials, and email databases. The high-profile victims include Middle Eastern government ministries and Asian telecommunications firms. The primary sector impacted is government and diplomatic, followed by telecommunications and energy. Financial losses are indirect but severe due to intellectual property theft and espionage.

🛡️ Mitigation

Defenders should inspect all IIS modules for unknown or unsigned DLLs, especially those with suspicious naming or origin. Apply the latest security updates for IIS and underlying applications (e.g., ProxyShell patches from 2021). Deploy YARA rules from Kaspersky’s IOC package (available on SecureList) and monitor for anomalous HTTP header patterns. Use EDR solutions with behavioral detection for IIS process anomalies (MITRE ATT&CK detection ID D1505.003).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.