Microsoft Servers have been the target of multiple, large-scale cybercrime attacks in 2021. One of the latest campaigns involves the deployment of a malicious IIS add-on, which is classified as malware called Owowa. This maliciously designed component of the Internet Information Services (IIS) is able to execute phishing attacks, and run remote commands on the compromised server. Of course, it is important to include that the Owowa Malware is not easy to plant on servers – criminals still need to find a way to deliver the malicious add-on, and get a user with elevated permissions to run it.
Owowa Malware was First Compiled in 2020
One of the surprising findings about the Owowa Malware is the fact that some of the payloads were first compiled in 2020, which means that this malware maybe worked undetected for a very long period of time. The scope of the Owowa Malware attack is not clear yet, but it is possible that thousands of Microsoft Exchange servers may have been compromised with the use of this malware.
One of the components that this malware goes after in particular is the Outlook Web Access (OWA) found on most Microsoft Exchange servers. It is responsible for handling login requests for Outlook, which explains how the criminals would abuse the malicious implant in order to harvest login credentials.
Owowa Malware Operators Use a Peculiar Method to Command the Implant
The way that the Owowa Malware runs remote commands is also very innovative. The criminals use the login page of the compromised OWA page in order to provide the commands in the username and password files. By entering specific strings, the criminals are able to command the Owowa Malware to:
- Return stolen login credentials in a base64-encoded format.
- Clear the log of stolen credentials stored on the compromised server.
- Execute a PowerShell command submitted via the password field.
A major fraction of Owowa Malware’s victims appear to be in Malaysia, Mongolia, Indonesia, and the Philippines. However, it is likely that there are many other organizations and enterprises that have had their servers compromised by this attack. Administrators can protect their Microsoft Exchange servers with the use of up-to-date antivirus tools, and implementing proper security policies.
The post Owowa Malware Discovered on Microsoft Exchange IIS Servers appeared first on Cyclonis.
This content was originally published here.