Recent cybersecurity analysis has uncovered the deployment of a newly identified binary called “Owowa,” specifically targeting Microsoft Exchange’s Outlook Web Access servers. This malicious Internet Information Services (IIS) web server module seeks to extract user credentials and facilitate remote command execution on compromised systems.
The Owowa module, reportedly written in C# for the .NET v4.0 framework, integrates into IIS to exploit the OWA login page. Kaspersky researchers Paul Rascagneres and Pierre Delcher detailed that this malicious module is adept at collecting information from anyone logging into OWA and enables a remote operator to execute commands directly on the affected server.
The concept of using rogue IIS modules as backdoors is not unprecedented. An extensive investigation by ESET in August 2021 documented numerous malware families functioning as native IIS modules aimed at hijacking HTTP traffic and remotely controlling compromised machines. This new development further underscores the vulnerabilities within server infrastructures.
Specifically, Owowa functions persistently, capturing the credentials of authenticated users accessing OWA. Attackers exploit this by crafting seemingly harmless requests sent to web services, embedding malicious commands within the username and password fields of the OWA login interface. For instance, if a username like “jFuLIXpzRdateYHoVwMlfc” is entered, Owowa responds with encrypted credentials. A different username can trigger the execution of PowerShell commands, with results relayed directly to the attacker.
Kaspersky has reported identifying a group of affected servers based in Malaysia, Mongolia, Indonesia, and the Philippines, primarily serving government entities, though one instance was linked to a government-owned transportation firm. Additionally, organizations throughout Europe are suspected to have been compromised in similar attacks.
While there are no confirmed connections between the Owowa perpetrators and other identified hacking groups, a username “S3crt” embedded in the malware’s code has led to further malware samples likely associated with the same developer. Among these are binaries capable of executing embedded shellcode, retrieving additional malware from remote servers, and deploying Cobalt Strike payloads.
Kaspersky’s Global Research and Analysis Team noted that the same username appears on Keybase, where the individual has showcased offensive tools, including Cobalt Strike. This demonstrates a broader inclination towards sophisticated cyber-attack methodologies.
Rascagneres and Delcher emphasize that exploiting IIS modules as backdoors is atypical compared to more common web application threats like web shells. Such specialized modules can easily evade detection in standard monitoring practices, allowing attackers a resilient foothold within targeted networks, particularly when inserted into Exchange server environments.
