IIS Extensible Web Server Used to Steal Microsoft Exchange Credentials

Cybercriminals are installing a new malicious add-on for the IIS web server on Microsoft Exchange Outlook Web Access (OWA) servers to collect login information and remotely perform commands on the server. The malicious IIS web server software is called ‘Owowa’ and, according to researchers, it could be extremely dangerous.

Based on data gathered and published to the internet security, file, and URL analyzer VirtusTotal, it seems that Owowa’s development began in late 2020.

According to Kaspersky‘s telemetry data, the most recent sample in circulation dates from April 2021 and focuses on servers in Malaysia, Mongolia, Indonesia, and the Philippines.

The systems targeted by this malicious IIS web server software belong to government entities and state agencies.

Signs of Owowa in Europe

As per Kaspersky researchers, the ‘Owowa’ targets aren’t confined to Southeast Asia, with infections being detected in Europe as well.


Web shells, which enable cybercriminals to execute commands remotely on a server, are frequently used against Microsoft Exchange servers, and they are typically the focus of defenders.

This is why employing an IIS module as a backdoor is a great strategy to remain anonymous. Hackers can send apparently harmless authentication requests to OWA and also elude typical

Read More: https://heimdalsecurity.com/blog/iis-extensible-web-server-used-to-steal-microsoft-exchange-credentials/