The Kaspersky identified a digital threat that installs malicious web server modules that work with Microsoft Exchange Outlook Web Access. They are capable of stealing credentials and data from devices as well as executing commands remotely.
The threat, called Owowa, dates back to the end of 2020, when the first virus sample was sent to VirusTotal, a malicious agent scanning service.
It has since undergone some updates, with the latest version dating from April 2021 and, according to Kaspersky, used primarily in attacks against government servers, public transport and other crucial services in countries such as Malaysia, Mongolia, Indonesia and the Philippines .
Owowa’s main highlight is the fact that it is an unusual type of attack on Microsoft Exchange servers, which are usually made from malicious web shells that allow code to run on the platform, and antivirus programs always look for it. On the other hand, IIS modules, being commonly used in hosting configurations, are not much investigated for protection solutions, which makes Owowa manage to go unnoticed by them.
Furthermore, from this implementation, criminals can perform authentications without having to go through the common system monitoring rules.
Kaspersky finally believes that the threat’s implementation could be related to the set of Microsoft Exchange ProxyLogon flaws , which even though fixed 9 months ago, continue to be used in attacks on out-of-date systems.
Owowa has been programmed to log all credentials that result in authorized access to infected Microsoft Exchange servers. After capturing the IP address, username, password and login time, the threat encrypts them, through RSA, and then the malicious agent controllers can execute commands for their submissions.
For now, Kaspersky is still looking for ways to prevent these attacks, but the security firm claims that removing the malicious module resolves the infection. The step-by-step procedure for detecting and removing the agent can be found on the company’s official website .