Owowa Malware Discovered on Microsoft Exchange IIS Servers

Microsoft Servers have been the target of multiple, large-scale cybercrime attacks in 2021. One of the latest campaigns involves the deployment of a malicious IIS add-on, which is classified as malware called Owowa. This maliciously designed component of the Internet Information Services (IIS) is able to execute phishing attacks, and run remote commands on the compromised server. Of course, it is important to include that the Owowa Malware is not easy to plant on servers – criminals still need to find a way to deliver the malicious add-on, and get a user with elevated permissions to run it.

Owowa Malware was First Compiled in 2020

One of the surprising findings about the Owowa Malware is the fact that some of the payloads were first compiled in 2020, which means that this malware maybe worked undetected for a very long period of time. The scope of the Owowa Malware attack is not clear yet, but it is possible that thousands of Microsoft Exchange servers may have been compromised with the use of this malware.

One of the components that this malware goes after in particular is the Outlook Web Access (OWA) found on most Microsoft Exchange servers. It is responsible for handling login requests for Outlook, which explains how the criminals would abuse the malicious implant in order to harvest login credentials.

Owowa Malware Operators Use a Peculiar Method to Command the Implant

The way that the Owowa Malware runs remote commands is also very innovative. The criminals use the login page of the compromised OWA page in order to provide the commands in the username and password files. By entering specific strings, the criminals are able to command the Owowa Malware to:

  • Return stolen login credentials in a base64-encoded format.
  • Clear the log of stolen credentials stored on the compromised server.
  • Execute a PowerShell command submitted via the password field.

A major fraction of Owowa Malware's victims appear to be in Malaysia, Mongolia, Indonesia, and the Philippines. However, it is likely that there are many other organizations and enterprises that have had their servers compromised by this attack. Administrators can protect their Microsoft Exchange servers with the use of up-to-date antivirus tools, and implementing proper security policies.

December 15, 2021
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.