Destructive actors are deploying a formerly undiscovered binary, an Internet Details Providers (IIS) webserver module dubbed “Owowa,” on Microsoft Exchange Outlook Web Entry servers with the intention of stealing credentials and enabling remote command execution.
“Owowa is a C#-made .NET v4. assembly that is intended to be loaded as a module in just an IIS web server that also exposes Exchange’s Outlook Web Accessibility (OWA),” Kaspersky researchers Paul Rascagneres and Pierre Delcher reported. “When loaded this way, Owowa will steal qualifications that are entered by any user in the OWA login page, and will enable a remote operator to run commands on the underlying server.”
The plan that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, Slovak cybersecurity firm ESET’s study of the IIS landscape exposed as many as 14 malware families that were being developed as indigenous IIS modules in an try to intercept HTTP targeted visitors and remotely commandeer the compromised computers.
As a persistent part on the compromised system, Owawa is engineered to capture the credentials of people who are successfully authenticated on the OWA authentication web webpage. Exploitation can then be accomplished by sending “seemingly innocuous requests” to the uncovered web expert services by getting into particularly crafted commands inside the username and password fields in the OWA authentication web site of a compromised server.
Particularly, if the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owawa responds back again with the encrypted credentials. If the username, on the other hand, is “dEUM3jZXaDiob8BrqSy2PQO1”, the PowerShell command typed in the OWA password subject is executed, the results of which are despatched back again to the attacker.
The Russian security agency reported it detected a cluster of targets with compromised servers situated in Malaysia, Mongolia, Indonesia, and the Philippines that mostly belong to govt organizations, with the exception of one particular server which is connected to a government-owned transportation organization. That mentioned, additional corporations in Europe are considered to have been victimized by the actor as properly.
Although no back links have been unearthed involving the Owowa operators and other publicly documented hacking teams, a username “S3crt” (browse “magic formula”) that was discovered embedded in the source code of the recognized samples has yielded additional malware executables that are probably the get the job done of the same developer. Chief amid them are a quantity of binaries designed to execute an embedded shellcode, load following-stage malware retrieved from a distant server, and result in the execution of Cobalt Strike payloads.
Kaspersky’s World Analysis and Investigation Staff (Good) also claimed it identified an account with the similar username on Keybase, the place the individual has shared offensive instruments this kind of as Cobalt Strike and Core Influence, in addition to demonstrating an curiosity in the latter on RAIDForums.
“IIS modules are not a popular format for backdoors, specially when when compared to standard web software threats like web shells and can hence quickly be missed for the duration of normal file checking attempts,” Rascagneres and Delcher reported. “The destructive module […] signifies an powerful solution for attackers to achieve a strong foothold in targeted networks by persisting inside of an Exchange server.”
Uncovered this short article fascinating? Abide by THN on Fb, Twitter and LinkedIn to study extra distinctive material we post.
Some parts of this article are sourced from:
thehackernews.com