Researchers have discovered Owowa, a previously undiscovered malicious IIS module that collects credentials when users access Microsoft Outlook Web Access (OWA).
Internet Information Services (IIS), Microsoft’s web server/web-hosting software package, may be supplemented by a variety of add-ons known as modules.
IIS modules, like WordPress plugins or Chrome extensions, provide an appealing mechanism to side-load harmful functionalities into web-facing applications. Owowa attacks Exchange servers in this example, exposing Exchange’s OWA feature. Researchers cautioned that, in addition to credential theft, it allows remote hackers to run commands on the underlying system and create a foothold for access to the larger network.
“[It] allows the attackers to steal login credentials for Outlook Web Access and gain remote access control to the underlying server,” according to researchers at Kaspersky, in a Tuesday writeup. “Its malicious capabilities can easily be launched by sending seemingly innocuous requests – in this case, OWA authentication requests.”
As per Pierre Delcher, senior security analyst with Kaspersky’s Global Research and Analysis Team, the module is also quiet and hard to detect, and it provides resilience even in the face of system upgrades from Exchange (GReAT).
“The particular danger with Owowa is that an attacker can use the module to passively steal credentials from users who are legitimately accessing web services,” he explained. “This is a far stealthier way to gain remote access than sending phishing emails. In addition, while IIS configuration tools can be leveraged to detect such threats, they are not part of standard file and network monitoring activities, so Owowa might be easily overlooked by security tools.”
According to the analysts, the malicious module can be loaded by a cyberattacker who gains initial access to the system environment (for example, by exploiting the ProxyLogon or ProxyShell vulnerabilities).
“The module is first registered in the global assembly cache, and can then be loaded by the IIS server that is running the OWA application,” as per Kaspersky.
As per Kaspersky, once downloaded, the module monitors HTTP requests and answers for OWA traffic by hooking the “PreSendRequestContent” event. When an OWA verification request is received, it goes into action, first ensuring that the login request was successful by ensuring that the OWA app is returning an authentication token to the client. If this is the case, the login, password, IP address, as well as current timestamp are saved in a folder and encrypted using RSA.
As per Kaspersky’s investigation, cybercriminals may interact with Owowa and extract the collected logins by typing specially crafted instructions – explained below – into the password and username fields in the hacked server’s OWA log-in page.
- If the OWA login is jFuLIXpzRdateYHoVwMlfc, Owowa will provide the base64-encoded encrypted credentials log.
- If the OWA username is Fb8v91c6tHiKsWzrulCeqO, the malicious module deletes the encrypted credentials log information and provides the OK string (encrypted with RSA).
- If the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa uses PowerShell on the hacked server to execute the command typed in the OWA password field. The command’s output is encrypted (as previously stated) and returned to the operator.
Tracking Owowa’s Development
Researchers discovered that Owowa was created between late 2020 and April 2021, coincidentally at about the same time that the previously stated ProxyLogon set of four crucial security flaws in Microsoft Exchange servers was discovered, allowing hackers to gain access to authorised e – mails and execute arbitrary code. Since then, the module was used to target victims in the public and government sector in Malaysia, Indonesia, the Philippines, and Mongolia, including a state transportation business. Researchers believe there are victims throughout Europe as well.
Apart from the inclusion of the username “S3crt” in the code, Kaspersky researchers were unable to connect Owowa to any specific threat actor. According to the analysts, the moniker is connected to the creation of additional malicious binary loaders. The handle, on the other hand, might very easily be used by numerous people. It’s also the username for a RAID Forums account that specialises in Core Impact, a prominent penetration-testing software package.
Whatever the situation may be with S3crt, the operator, regardless the victimology and evident purpose of spying, is unlikely to be an advanced persistent threat (APT), as per the research. This is due to certain beginner blunders in the development.
For example, the designers ignored specific Microsoft warnings about many dangerous HTTP module development approaches that might result in server failures (thereby alerting admins to Owowa’s presence). They also left crucial information about the development environment apparent in public information samples. These are useful for locating connections to further samples or internet profiles.
“The good news is the attackers don’t appear highly sophisticated,” said Paul Rascagneres, senior security researcher with Kaspersky’s GReAT. “Companies should closely monitor Exchange servers since they are highly sensitive and contain all corporate emails. We also recommend considering all running modules as critical and checking them regularly.”