Security News > 2021 > December > Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials

Malicious actors are deploying a previously undiscovered binary, an Internet Information Services webserver module dubbed "Owowa," on Microsoft Exchange Outlook Web Access servers with the goal of stealing credentials and enabling remote command execution.
"Owowa is a C#-developed.NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange's Outlook Web Access," Kaspersky researchers Paul Rascagneres and Pierre Delcher said.
In August 2021, Slovak cybersecurity company ESET's study of the IIS landscape revealed as many as 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP traffic and remotely commandeer the compromised computers.
As a persistent component on the compromised system, Owawa is engineered to capture the credentials of users who are successfully authenticated on the OWA authentication web page.
The Russian security firm said it detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia, and the Philippines that primarily belong to government organizations, with the exception of one server that's attached to a government-owned transportation company.
"The malicious module [] represents an effective option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server."
News URL
https://thehackernews.com/2021/12/hackers-using-malicious-iis-server.html
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Hackers spoof Microsoft ADFS login pages to steal credentials (source)
- Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys (source)
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese hackers abuse Microsoft APP-v tool to evade antivirus (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Hackers pose as employers to steal crypto, login credentials (source)