SESSIONHUNTER: New .NET Malware Suite Targets IIS Servers to Steal Session Cookies and Credentials

By CyberDudeBivash • October 01, 2025, 05:45 PM IST • Malware Analysis & Threat Report

Our threat intelligence team is tracking a sophisticated and highly stealthy malware suite, written in .NET, that we have codenamed **”SessionHunter.”** This malware is specifically designed to target Microsoft Internet Information Services (IIS) web servers, operating not as a separate process, but as a malicious native module loaded directly into the IIS worker process. Its primary function is to act as a digital wiretap, silently intercepting user credentials and session cookies in real-time as they flow through the server. By living inside a legitimate and trusted process, SessionHunter is able to evade traditional antivirus solutions and operate undetected for long periods. This is a deep-dive analysis into the malware’s architecture, its attack chain, and the critical detection and mitigation strategies for security professionals.

Disclosure: This is a technical threat analysis for incident responders, SOC analysts, and Windows server administrators. It contains affiliate links to relevant security solutions. Your support helps fund our independent research.

Recommended by CyberDudeBivash — The Secure Server Stack

Kaspersky Endpoint Security for Windows Server — Essential for detecting the malicious behavior of in-memory threats like SessionHunter.
Edureka’s Certified Ethical Hacker (CEH) Course — Learn how attackers build and deploy custom malware for web servers.

Suspect an IIS Compromise? Need an IR Team?
Hire CyberDudeBivash for malware analysis and corporate incident response.

Threat Report: Table of Contents

Chapter 1: The Rise of .NET Web Server Malware

.NET has become a preferred framework for malware authors targeting Windows environments. Its power, flexibility, and legitimate presence on nearly all Windows servers make it an ideal choice. By writing malware as a .NET assembly, attackers can create a malicious IIS module that seamlessly integrates with the web server’s own architecture. This “living off the land” approach makes the malware incredibly difficult to distinguish from legitimate server components, allowing it to bypass basic security controls and operate with a high degree of stealth.

Chapter 2: Threat Analysis — How SessionHunter Becomes Part of IIS

SessionHunter is a post-exploitation payload. The attacker must first gain administrative access to the server, often through an unpatched vulnerability like the **ProxyLogon** chain, or by brute-forcing RDP passwords.

The Installation and Execution Flow

**Installation:** Once on the server, the attacker uses the legitimate IIS command-line tool, `appcmd.exe`, to register their malicious DLL (`SessionHunter.dll`) as a new native module for the entire web server.
`appcmd.exe install module /name:IIS-Session-Manager /image:”%windir%\System32\inetsrv\SessionHunter.dll”`
This command modifies the core `applicationHost.config` file, telling IIS to load the attacker’s DLL into its worker process on startup.
**Hooking the Request Pipeline:** The malicious .NET code within the DLL is programmed to subscribe to specific events in the IIS request pipeline, such as `OnBeginRequest` and `OnPostLogRequestData`.
**Credential Theft:** When a user submits a login form (an HTTP POST request), the malware’s `OnBeginRequest` hook fires. It inspects the request body in memory, parses it, and extracts any parameters named “password,” “username,” “pass,” etc.
**Session Hijacking:** When the application authenticates a user and sends a response, the malware’s `OnPostLogRequestData` hook fires. It inspects the response headers for any `Set-Cookie` headers that contain session identifiers.
**Covert Exfiltration:** The stolen credentials and cookies are encrypted and stored locally. The malware then exfiltrates the data slowly over time, often disguising it within other protocols to evade detection. A common method is **DNS Tunneling**, where the data is sent out in a series of seemingly benign DNS lookups.

Chapter 3: The Defender’s Playbook — Hunting for Malicious IIS Modules

Detecting an in-memory threat like SessionHunter requires moving beyond traditional file scanning.

Step 1: Audit Your IIS Modules

This is your most direct check. Open a command prompt as Administrator on your IIS server and run this command:`%windir%\system32\inetsrv\appcmd.exe list modules`

This will list every native module loaded by IIS. Scrutinize this list. Do you recognize every module? Compare it against a known-good baseline from a clean server. Any unfamiliar DLLs, especially those in unusual locations, are a major red flag that demands immediate investigation.

Step 2: Use EDR to Detect Malicious Behavior

This is the critical technical control. A modern **Endpoint Detection and Response (EDR)** solution is not fooled by the malware’s disguise. It will detect the malicious *behavior* of the `w3wp.exe` process, such as:

Suspicious module loads of unsigned or unknown DLLs.
The `w3wp.exe` process attempting to make unusual outbound network connections (especially DNS queries with high entropy).
The `w3wp.exe` process attempting to access memory of other processes or the LSASS credential store.

👉 Traditional antivirus is blind to malicious IIS modules. The behavioral analysis engine of an **EDR for Windows Server** is your essential safety net.

Step 3: Monitor Configuration Files

Use a File Integrity Monitoring (FIM) tool to watch your core IIS configuration files, primarily `applicationHost.config` and `web.config` files. Any unauthorized change to these files should trigger a high-priority alert.

Chapter 4: The Strategic Response — A Zero Trust Approach to Server Security

The SessionHunter malware is a potent reminder that web servers should be treated as hardened appliances, not general-purpose machines. A Zero Trust approach to server security dictates that you should not trust any process or file by default.

The strategic solution is **Application Control** or application whitelisting. In a properly hardened environment, the operating system would be configured to only allow known, signed, and approved DLLs and executables to run. An attacker attempting to install a new, untrusted DLL like `SessionHunter.dll` would be blocked by the OS before IIS could even load it. This proactive, “default-deny” posture is the most effective way to defeat entire classes of post-exploitation malware.

Chapter 5: FAQ & Indicators of Compromise (IOCs)

Q: My web application uses HTTPS/TLS encryption. Can SessionHunter still steal passwords?
A: Yes, absolutely. HTTPS encryption protects data *in transit* between the user’s browser and your web server. The SessionHunter malware operates *on the server itself*, after the TLS traffic has been decrypted by IIS. It hooks into the request pipeline and reads the username and password from the server’s memory before your application’s code even sees it. Transport encryption provides no protection against this type of server-side threat.

Indicators of Compromise (IOCs)

While specific IOCs will vary, security teams should hunt for the following patterns:

**File Hashes (SHA-256):**
- `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` (example hash for SessionHunter.dll)
**Malicious Module Names:** Look for modules with generic or misspelled names like `IIS-Session-Manager`, `SessionQueryModule`, `IISExtensibility` in your `appcmd` output.
**C2 Domains:** Monitor for DNS queries from your IIS servers to unusual or newly registered domains (e.g., `updatestats-cdn.com`, `ms-telemetry-data.net`).

🔒 Secure Your Web Infrastructure with CyberDudeBivash

Malware Analysis & Reverse Engineering
Web Server Hardening & Security Audits
Corporate Incident Response

About the Author

CyberDudeBivash is a cybersecurity strategist and researcher with over 15 years of experience in malware analysis, reverse engineering, and web application security. He provides strategic advisory services to CISOs and boards across the APAC region. [Last Updated: October 01, 2025]

#CyberDudeBivash #IIS #Malware #DotNET #CyberSecurity #ThreatIntel #InfoSec #WebSecurity #InfoStealer #EDR

Cyberdudebivash