The existence of an attacker who installs a malicious IIS Web server module called “Owowa” on Microsoft Exchange Outlook Web Access servers with the aim of stealing credentials and remotely executing commands on the servers has been confirmed.
The following is a summary of the findings.
Owowa development likely began in late 2020, based on compilation data and the time it was uploaded to malware scanning service VirtusTotal.
Based on Kaspersky’s telemetry data, the most recently circulated sample is from April 2021 and targets servers in Malaysia, Mongolia, Indonesia and the Philippines.
These systems are targeted at government agencies, public transportation, and other critical entity systems.
Kaspersky commented that the targeting of “Owowa” is not limited to Southeast Asia, and that there are signs of infection in Europe as well.
Unusual backdoors
Microsoft Exchange servers are often targeted with web shells that allow threat actors to execute commands remotely on the server, making them a point of interest for defenders.
Using IIS modules as a backdoor is therefore an excellent way to hide.
An attacker can send seemingly harmless authentication requests to OWA and also bypass standard network monitoring rules.
IIS modules are not a common form of backdoor, especially when compared to typical web application threats such as web shells, and can easily be missed by standard file monitoring tasks.
In addition, this attack persists even after the Exchange software is updated, so you only need to be infected once.
Kaspersky commented that it may rely on a flaw in ProxyLogon.
However, the attackers’ development of Owowa was not perfect, and in some cases they failed to hide the PDB path in the malware executable, causing server crashes.
Powerful features of Owowa
Owowa is specifically targeted at OWA applications on Exchange servers, and is designed to record credentials of users who successfully authenticate on OWA login web pages.
Successful login is automatically verified by monitoring the OWA application and generating an authentication token.
In that case, Owowa will store the username, password, user IP address, current timestamp, and encrypt the data using RSA.
It is also possible to collect stolen data by manually sending commands to the malicious module.
Remote commands can also be used to run PowerShell on a compromised endpoint, which can lead to a variety of possible attacks.
A cybercriminal can simply access the OWA login page of the compromised server and enter specially crafted commands in the username and password fields to complete the attack.
This is an efficient option for an attacker to establish a strong foothold in the target’s network by hiding within the Exchange server.
Detect and remove IIS modules
Administrators can use the command ‘appcmd.exe’ or the IIS Configuration Tool to get a list of all modules loaded on the IIS server and discover malicious modules.
In the cases identified by the researcher, the malicious module uses the name “ExtenderControlDesigner” as shown below.
In summary, this incident serves as a reminder of the importance of regularly checking IIS modules, looking for signs of lateral movement in the network, and maintaining an endpoint security shield.
Comments