Posted on Leave a comment

Hackers Steal Microsoft Exchange Credentials Using a Malicious IIS Server Module.

Kaspersky researchers Paul Rascagneres and Pierre Delcher reported that, “When loaded in this manner, Owowa will steal any user’s credentials entered in the OWA login page and will allow a remote operator to run commands on the underlying server. Owowa is a C#-developed.NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),”

Malicious actors are using a previously unknown binary, an Internet Information Services (IIS) webserver module dubbed “Owowa,” on Microsoft Exchange Outlook Web Access servers to steal credentials and enable remote command execution.

Owawa is designed to capture the credentials of users who successfully authenticate on the OWA authentication web page as a persistent component on the compromised system. Exploitation can then be accomplished by sending “seemingly innocuous requests” to the exposed web services by entering specifically crafted commands into the username and password fields on a compromised server’s OWA authentication page.

If the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owawa will respond with the encrypted credentials. If the username is “dEUM3jZXaDiob8BrqSy2PQO1,” the PowerShell command entered in the OWA password field is executed, and the results are returned to the attacker.

The Russian security firm said it discovered a cluster of targets with compromised servers in Malaysia, Mongolia, Indonesia, and the Philippines, with the exception of one server attached to a government-owned transportation company. However, it is believed that the actor has also victimised other organisations in Europe.

Despite the fact that no links have been discovered between the Owowa operators and other publicly documented hacking groups, a username “S3crt” (read “secret”) found embedded in the source code of the identified samples has yielded additional malware executables that are likely the work of the same developer. Among them are binaries designed to execute embedded shellcode, load next-stage malware downloaded from a remote server, and trigger the execution of Cobalt Strike payloads.

Rascagneres and Delcher explained that “IIS modules are not a common format for backdoors, particularly when compared to typical web application threats such as web shells, and can thus easily be missed during standard file monitoring efforts, By persisting inside an Exchange server, the malicious module […] represents an effective option for attackers to gain a strong foothold in targeted networks.”

Kaspersky’s Global Research and Analysis Team (GReAT) concluded that ,”discovered an account with the same username on Keybase, where the individual has shared offensive tools such as Cobalt Strike and Core Impact, as well as expressing interest in the latter on RAIDForums.

Indicators of Compromise


Possibly related malicious loaders:



PDB Paths:

Possibly related Cobalt Strike C2:

Possibly related suspicious domain:

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply