Malicious Microsoft Exchange IIS Module - Owowa

Kaspersky shared intelligence of a malicious implant targeting Outlook Web Access (OWA) applications of Exchange servers dubbed "Owowa." The implant is capable of enabling remote command execution and capturing user credentials of users who successfully authenticate through OWA. The discovery of Owowa came about in late 2020 from sample submission to VirusTotal and from tracking with Kaspersky's telemetry data. Since April 2021 the malware appears to circulate through parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious add-in module uses the name "ExtenderControlDesigner" and is loaded through a PowerShell script.