Malicious actors are deploying a previously undiscovered binary, an Internet Information Services (IIS) webserver module dubbed “Owowa,” on Microsoft Exchange Outlook Web Access servers with the goal of stealing credentials and enabling remote command execution.
Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA), Kaspersky researchers Paul Rascagneres and Pierre Delcher said. When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.
The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, Slovak cybersecurity company ESET’s study of the IIS landscape revealed as many as 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP traffic and remotely commandeer the compromised computers.