IIS Module Malvertised to Steal Microsoft Exchange Credentials
Threat actors are installing a malicious IIS web server module named ‘Owowa‘ on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA). It will steal credentials that are entered by any user in the OWA login page and will allow a remote operator to run commands on the underlying server.
An IIS module as a backdoor is an excellent way to stay hidden. The actors can send seemingly innocuous authentication requests to OWA, evading standard network monitoring rules as well. The implant persists even after the Exchange software is updated, so the infection needs to take place only once.
If the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owowa responds back with the encrypted credentials. If the username, on the other hand, is “dEUM3jZXaDiob8BrqSy2PQO1”, the PowerShell command typed in the OWA password field is executed, the results of which are sent back to the attacker.
Researchers detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia, and the Philippines that primarily belong to government organizations, except for one server that’s attached to a government-owned transportation company. That said, additional organizations in Europe are believed to have been victimized by the actor as well.
At the time of writing, no link found between the Owowa operators and other publicly documented hacking groups, a username “S3crt” (read “secret”) that was found embedded in the source code of the identified samples has yielded additional malware executables that are likely the work of the same developer. Chief among them is several binaries designed to execute an embedded shellcode, load next-stage malware retrieved from a remote server, and trigger the execution of Cobalt Strike payloads.
Steps to protect and mitigate
- Check all IIS modules on exposed IIS servers regularly — especially if that IIS server deals with Exchange.
- Focus on detecting lateral movements and data exfiltration to the internet. Pay attention to outgoing traffic and create regular backups that are easily accessible.
- Use trusted endpoint detection and response software to identify and stop attacks early on.
- Use trusted endpoint security software powered by exploit prevention, behaviour detection and remediation engines that can roll back malicious actions.