Malicious actors are deploying the ‘Owowa’ harmful IIS web server module on Microsoft Exchange Outlook Web Access servers to steal passwords and execute commands remotely. Based on compilation data and when it was published to the VirtusTotal malware detection service, Owowa’s development began in late 2020.
Kaspersky’s telemetry data shows that the most current copy in circulation is from April 2021 and targets servers in Malaysia, Mongolia, Indonesia, and the Philippines. Government agencies, public transit corporations, and other critical entities use these systems. The ‘Owowa’ targets aren’t confined to Southeast Asia, as per Kaspersky, and infections have also been detected in Europe.
Web shells, which allow threat actors to execute instructions on a server remotely, are frequently used against Microsoft Exchange servers, and they are usually the target of defenders. As a result, employing an IIS module as a backdoor is an excellent approach to remain undetected. The perpetrators can evade typical network monitoring restrictions by sending seemingly harmless authentication requests to OWA.
A report from Kaspersky explains, “IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts.”
Furthermore, the implant survives even when the Exchange software is upgraded, requiring only one infection. According to Kaspersky, the perpetrator may be relying on ProxyLogon weaknesses to breach the server, which remains a threat even after being fixed nine months ago. On the other hand, the actors didn’t do a perfect job with Owowa’s development, failing to hide PDB paths in the malware executable and, in some cases, causing server crashes.
Owowa is meant to log users’ credentials who successfully authenticate on the OWA login web page in Exchange servers’ OWA apps. The login success is automatically checked by monitoring the OWA application and generating an authentication token. If this happens, Owowa saves the user’s username, password, IP address, and current timestamp and encrypts the information with RSA.
The cybercriminal can then manually send a command to the rogue module to gather the stolen data. Remote commands may also run PowerShell on a hacked endpoint, allowing various attack options.
Administrators can use the command ‘appcmd.exe’ or the IIS configuration tool to acquire a list of all loaded modules on an IIS server. The malicious module goes by the name “ExtenderControlDesigner” in the examples the researchers have encountered. Even though the researchers were directed to an account on the RaidForums hacker site while conducting their investigation, the attribution remains shaky, and there are few links to known perpetrators.
In addition, the module’s carelessness is a symptom of an inexperienced actor who does not fit the targeted scope, which includes government agencies. In conclusion, this is another reminder of the significance of routinely reviewing your IIS modules, searching for evidence of lateral network movement, and maintaining your endpoint security shields.
