While looking for potentially malicious implants that targeted Microsoft Exchange servers, Kaspersky researchers identified a suspicious binary that had been submitted to a multiscanner service in late 2020. Analyzing the code, researchers determined that the previously unknown binary is an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. Kaspersky named the malicious module ‘Owowa’, and identified several compromised servers located in Asia.
Meet Owowa, the IIS module you don’t want
Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA). When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.