Hackers are deploying a previously unverified binary, an Internet Information Services (IIS) web server module called “Owowa,” to Microsoft Exchange Outlook Web Access servers in order to steal credentials and allow remote command execution.
“Owowa is a .NET version 4.0 assembly developed in C# that must be loaded as a module inside an IIS web server that also exposes Exchange Outlook Web Access (OWA),” said Kaspersky researchers Paul Rascagneres and Pierre Delcher to Bleeping Computer. “When loaded in this way, Owowa will steal the credentials entered by any user on the OWA login page and allow a remote operator to execute commands on the underlying server.”
The idea that a malicious IIS module can be turned into a backdoor is not new. In August, an exhaustive study of the IIS threat landscape by Slovak cybersecurity company ESET revealed up to 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP traffic and remotely commandeer compromised computers.
As a persistent component on the compromised system, Owawa is designed to capture the credentials of users who have successfully authenticated to the OWA authentication page. Exploitation can then be achieved by sending “apparently innocuous requests” to the exposed web services by entering specifically crafted commands into the username and password fields on a compromised server’s OWA authentication page.
The Russian security company said it had detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia and the Philippines that mainly belong to government organizations, with the exception of a server connected to a state transport company. That said, it is believed that other organizations in Europe were also victims of the actor.
Although no links were discovered between Owowa operators and other publicly documented hacker groups, a username “S3crt” (read secret) found embedded in the source code of the identified samples yielded additional malware executables that are probably the work of the same developer. Chief among them are a number of binaries designed to execute embedded shell code, load next-stage malware retrieved from a remote server, and trigger the execution of Cobalt Strike payloads.
Kaspersky’s global research and analysis team (GREAT) also said it identified an account with the same username on Keybase, where the hacker shared offensive tools such as Cobalt Strike and Core Impact, as well as showing interest in the latter on RAIDForums. “IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells, and can therefore be easily missed during standard file monitoring efforts,” said Rascagneres and Delcher. “The malicious module […] represents an effective option for attackers to gain a strong foothold in targeted networks by persisting within an Exchange server.”