SessionManager backdoor allows threat actors to maintain persistent, update-resistant, and fairly stealthy access to a targeted organization’s IT infrastructure. Once inside a victim’s system, cybercriminals behind the backdoor can gain access to company emails, update malicious access by installing other types of malware, or surreptitiously manage compromised servers, which can be leveraged as malicious infrastructure.
SessionManager has been used in the wild without being detected since at least March 2021, right after the start of last year's massive wave of ProxyLogon attacks. Implementing a backdoor within IIS is a trend for threat actors. It has affected government institutions and NGOs around the world with victims in eight countries in the Middle East, Turkey and Africa region including Kuwait, Saudi Arabia, Nigeria , Kenya and Turkey.