Posted on Leave a comment

Hackers Steal Microsoft Exchange Credentials Using a Malicious IIS Server Module.

Kaspersky researchers Paul Rascagneres and Pierre Delcher reported that, “When loaded in this manner, Owowa will steal any user’s credentials entered in the OWA login page and will allow a remote operator to run commands on the underlying server. Owowa is a C#-developed.NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),”

Malicious actors are using a previously unknown binary, an Internet Information Services (IIS) webserver module dubbed “Owowa,” on Microsoft Exchange Outlook Web Access servers to steal credentials and enable remote command execution.

Owawa is designed to capture the credentials of users who successfully authenticate on the OWA authentication web page as a persistent component on the compromised system. Exploitation can then be accomplished by sending “seemingly innocuous requests” to the exposed web services by entering specifically crafted commands into the username and password fields on a compromised server’s OWA authentication page.

If the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owawa will respond with the encrypted credentials. If the username is “dEUM3jZXaDiob8BrqSy2PQO1,” the PowerShell command entered in the OWA password field is executed, and the results are returned to the attacker.

The Russian security firm said it discovered a cluster of targets with compromised servers in Malaysia, Mongolia, Indonesia, and the Philippines, with the exception of one server attached to a government-owned transportation company. However, it is believed that the actor has also victimised other organisations in Europe.

Despite the fact that no links have been discovered between the Owowa operators and other publicly documented hacking groups, a username “S3crt” (read “secret”) found embedded in the source code of the identified samples has yielded additional malware executables that are likely the work of the same developer. Among them are binaries designed to execute embedded shellcode, load next-stage malware downloaded from a remote server, and trigger the execution of Cobalt Strike payloads.

Rascagneres and Delcher explained that “IIS modules are not a common format for backdoors, particularly when compared to typical web application threats such as web shells, and can thus easily be missed during standard file monitoring efforts, By persisting inside an Exchange server, the malicious module […] represents an effective option for attackers to gain a strong foothold in targeted networks.”

Kaspersky’s Global Research and Analysis Team (GReAT) concluded that ,”discovered an account with the same username on Keybase, where the individual has shared offensive tools such as Cobalt Strike and Core Impact, as well as expressing interest in the latter on RAIDForums.

Indicators of Compromise

Owowa:
af6507e03e032294822e4157134c9909
ea26bed30da01f5d81c3d96af59424acf2fbb14b
8e1e0ddeb249b9f8331b1562498d2cbd9138ec5e00c55a521d489e65b7ef447d

Possibly related malicious loaders:
d4bdfb90d9aa6d573f3ff3a755e2e630
2e5a752f8d1c3b0ba819381c4539006d40692ee9
dac4c2e5318bf0feca535b2116bd48e72d8f36ff7ec8f3bd176fd7e57bd37fc1

3c5654ddd7998ae39717f7e3d079bd93
8429a32acfed3f010502a5b88199cc0367f92fd7
54fecd3227a435c17463f543eacdb7482fc7b2fde4db1d12d16aab94dfdf4085

3db7101794cb166ca672814728f4e8d7
f8b5d7370b56e127449760701b97bf8f43d16852
f167279c692a14fee15bb1f8eb8a9b6edd43cf74d2b590b27129fd69e6b3de88

PDB Paths:
C:\Users\S3crt\source\repos\ClassLibrary2\obj\Release\ExtenderControlDesigner.pdb
C:\Users\S3crt\source\repos\ClassLibrary2\obj\Release\ClassLibrary2.pdb
C:\Users\S3crt\source\repos\Shellcode_inject\Release\artifact32.pdb
C:\Users\Administrator\source\repos\Artifact\x64\Aritfact_big\Artifact.pdb

Possibly related Cobalt Strike C2:
150.109.111[.]208

Possibly related suspicious domain:
s3crt[.]biz.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply