The threat actors install a malicious IIS web server module named “Owowa” on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
Development of Owowa likely began in late 2020 based on the build data and when it was uploaded to the VirtusTotal malware analysis service.
Based on Kaspersky telemetry data, the most recent sample in circulation is from April 2021, targeting servers in Malaysia, Mongolia, Indonesia and the Philippines.
These systems are owned by government organizations, public transport companies and other critical entities.
Kaspersky points out that the “Owowa” targets are not limited to Southeast Asia and that they have also seen signs of infection in Europe.
An unusual backdoor
Microsoft Exchange servers are typically targeted by web shells that allow malicious actors to execute commands remotely on a server and are typically targets of defenders.
As such, using an IIS module as a backdoor is a great way to stay hidden. Actors can send seemingly harmless authentication requests to OWA, also bypassing standard network monitoring rules.
“IIS modules are not a common format for backdoors, especially in relation to typical web application threats such as web shells and therefore can easily be missed during standard file monitoring efforts. Explains the Kaspersky report.
In addition, the implant persists even after updating the Exchange software, so the infection only needs to happen once.
Kaspersky comments that the actor can rely on the loopholes in ProxyLogon to compromise the server, which remains a problem even after being fixed nine months ago.
However, the actors did not do a perfect job with the development of Owowa, failing to hide PDB paths in the malware executable and causing server crashes in some cases.
Owowa specifically targets OWA applications on Exchange servers and is designed to record the credentials of users who successfully authenticate to the OWA login web page.
Login success is automatically validated by monitoring the OWA application to generate an authentication token.
If this happens, Owowa stores the user’s username, password, IP address, and current timestamp and encrypts the data using RSA.
The actor can then collect the stolen data by manually sending a command to the malicious module.
Remote commands can also be used to run PowerShell on the compromised endpoint, paving the way for a range of attack possibilities.
“Cybercriminals only need to go to the OWA login page of a compromised server to enter specially crafted commands in the username and password fields,” Kaspersky explains.
“This is an effective option allowing attackers to gain a solid foothold in targeted networks by persisting inside an Exchange server. “
Detect and remove the IIS module
Administrators can use the “appcmd.exe” command or the IIS Configuration Tool to get a list of all the modules loaded on an IIS server.
In cases seen by researchers, the malicious module uses the name “ExtenderControlDesigner”, as shown below.
Although the researchers were tricked into opening an account on the RaidForums hacking forum during their investigation, attribution remains low and there are generally no associations with known actors.
In addition, neglect in the development of the module is a sign of an unsophisticated actor that does not fit the scope of targeting, including government entities.
In summary, this is another reminder of the importance of regularly checking your IIS modules, looking for signs of lateral movement in your network, and maintaining the security protections of your endpoints.