“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made.
Researchers have uncovered a previously unknown malicious IIS module, dubbed Owowa, that steals credentials when users log into Microsoft Outlook Web Access (OWA).
Internet Information Services (IIS), Microsoft’s web server/web-hosting software suite, can be extended via various add-ons that are known as modules.
Like plugins for WordPress or Chrome extensions, IIS modules offer an attractive way to side-load malicious features into web-facing applications. In this case, Owowa infects Exchange servers, exposing Exchange’s OWA function. Beyond credential theft, it allows remote attackers to run commands on the underlying server and to establish a foothold for access to the broader network, researchers warned.
“[It] allows the attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server,” according to researchers at Kaspersky, in a Tuesday writeup. “Its malicious capabilities can easily be launched by sending seemingly innocuous requests – in this case, OWA authentication requests.”
The module is also stealthy and difficult to detect, and it offers persistence even in the face of software updates from Exchange, according to Pierre