Hackers Utilizing Malicious IIS Server Module to Steal Microsoft Change Credentials
Malicious actors are deploying a beforehand undiscovered binary, an Web Info Providers (IIS) webserver module dubbed “Owowa,” on Microsoft Change Outlook Internet Entry servers with the objective of stealing credentials and enabling distant command execution.
“Owowa is a C#-developed .NET v4.0 meeting that’s supposed to be loaded as a module inside an IIS net server that additionally exposes Change’s Outlook Internet Entry (OWA),” Kaspersky researchers Paul Rascagneres and Pierre Delcher stated. “When loaded this manner, Owowa will steal credentials which are entered by any person within the OWA login web page, and can enable a distant operator to run instructions on the underlying server.”
The concept that a rogue IIS module will be long-established as a backdoor just isn’t new. In August 2021, an exhaustive research of the IIS menace panorama by Slovak cybersecurity firm ESET revealed as many as 14 malware households that had been developed as native IIS modules in an try to intercept HTTP visitors and remotely commandeer the compromised computer systems.
As a persistent part on the compromised system, Owawa is engineered to seize the credentials of customers who’re efficiently authenticated on the OWA authentication net web page. Exploitation can then be achieved by sending “seemingly innocuous requests” to the uncovered net providers by coming into particularly crafted instructions inside the username and password fields within the OWA authentication web page of a compromised server.
Particularly, if the OWA username is “jFuLIXpzRdateYHoVwMlfc,” Owawa responds again with the encrypted credentials. If the username, then again, is “dEUM3jZXaDiob8BrqSy2PQO1”, the PowerShell command typed within the OWA password area is executed, the outcomes of that are despatched again to the attacker.
The Russian safety agency stated it detected a cluster of targets with compromised servers positioned in Malaysia, Mongolia, Indonesia, and the Philippines that primarily belong to authorities organizations, excluding one server that is hooked up to a government-owned transportation firm. That stated, further organizations in Europe are believed to have been victimized by the actor as effectively.
Though no hyperlinks have been unearthed between the Owowa operators and different publicly documented hacking teams, a username “S3crt” (learn “secret”) that was discovered embedded within the supply code of the recognized samples has yielded further malware executables which are probably the work of the identical developer. Chief amongst them are a variety of binaries designed to execute an embedded shellcode, load next-stage malware retrieved from a distant server, and set off the execution of Cobalt Strike payloads.
Kaspersky’s World Analysis and Evaluation Group (GReAT) additionally stated it recognized an account with the identical username on Keybase, the place the person has shared offensive instruments akin to Cobalt Strike and Core Affect, along with demonstrating an curiosity within the latter on RAIDForums.
“IIS modules should not a typical format for backdoors, particularly when in comparison with typical net utility threats like net shells and may due to this fact simply be missed throughout normal file monitoring efforts,” Rascagneres and Delcher stated. “The malicious module […] represents an efficient choice for attackers to realize a powerful foothold in focused networks by persisting inside an Change server.”