Microsoft Exchange Servers Hit by Malware SessionManager Masquerading as IIS Module

Researchers have discovered stealthy malware that threat actors have been employing for the past 15 months to backdoor Microsoft Exchange servers after they have been compromised. The malicious software, called SessionManager, impersonates a genuine Internet Information Services module, which is the web server that is by default installed on Exchange servers. Kaspersky researcher Pierre Delcher wrote that such malicious modules typically anticipate seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators’ hidden instructions, if any, and then transparently pass the request to the server for processing in the same manner as any other request. However, as reported after threat actors have taken advantage of the ProxyLogon vulnerabilities in Microsoft Exchange servers, SessionManager is deployed.