Owowa, a malicious IIS Server module used to steal Microsoft Exchange credentials

Threat actors are using a malicious Internet Information Services (IIS) Server module, dubbed Owowa, to steal Microsoft Exchange credentials.

Kaspersky researchers spotted malicious actors while deploying a previously undiscovered binary, an Internet Information Services (IIS) webserver module dubbed “Owowa,” on Microsoft Exchange Outlook Web Access servers to steal credentials and for remote code execution.

“Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),” reads the analysis published by Kaspersky. “When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.”

Attackers designed the Owowa module to inspect HTTP requests and responses by hooking the PreSendRequestContent event. 

Once a user has successfully authenticated on the OWA authentication web page, the Owawa module captures its credential. The module was most likely compiled between late 2020 and April 2021.

The module verifies the successful authentication by checking that the OWA application is sending an authentication token back to the user. The username, password, user’s IP address and current timestamp are stored in a file at C:\Windows\Temp\af397ef28e484961ba48646a5d38cf54.db.ses. Data are encrypted using the RSA algorithm, with a hardcoded public key stored as an XML blob:

1	<RSAKeyValue><Modulus>vTxV8wUJ0PoO2yu/Pm/aICbsT+nFwHXouNo623VIVMl6LY4R96a8cpMTHw92rs0foNcVJB8/SYQvL/6Ko9aOv1K3mm3Txa3Dfe6CmDjFb1wYoVJQ+wLksgd/MfMGXWK2rIuNTpUs1+UT1K+TNFSBAYTiiLAPczCmKkh6vcLO9iE=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

The attackers can exploit the Owowa module by entering specifically crafted commands within the username and password fields in the OWA authentication page of a compromised server. Then the module will respond to these commands through the IIS server, and display the results to the operator, instead of displaying the OWA login error messages.

By inserting the string “jFuLIXpzRdateYHoVwMlfc” in the OWA username, the module will return the encrypted credentials log, encoded in base64;

If the OWA username is Fb8v91c6tHiKsWzrulCeqO, the module deletes the content of the encrypted credentials log, and returns the OK string (encrypted using RSA), while if the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa executes the command that is typed in the OWA password field using PowerShell on the compromised server. Then the result of the command is encrypted and returned to the operator.

Most of the victims were government organizations in Malaysia, Mongolia, Indonesia, and the Philippines.

Kaspersky was not able to link Owowa to any known threat actor, due to the lack of data regarding the deployment of the module.

“The malicious module described in this post represents an effective option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.” concludes the analysis. “The operators behind Owowa demonstrated an interest in government organizations in Asia and specifically South-East Asia. Such targeting may fit a threat actor seeking to gather intelligence on ASEAN’s agenda and member states’ foreign policies. However, the practices exhibited by what is likely an inexperienced developer don’t appear to correspond with such strategic targeting.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Owowa)

[adrotate banner=”5″]

[adrotate banner=”13″]