2021-12-21

Malicious Microsoft Exchange IIS Module Owowa

Level: 
Tactical
  |  Source: 
SecureList
Government & Transportation
Share:

Malicious Microsoft Exchange IIS Module - Owowa

Industry: Government & Transportation | Level: Tactical | Source: SecureList

Kaspersky shared intelligence of a malicious implant targeting Outlook Web Access (OWA) applications of Exchange servers dubbed "Owowa." The implant is capable of enabling remote command execution and capturing user credentials of users who successfully authenticate through OWA. The discovery of Owowa came about in late 2020 from sample submission to VirusTotal and from tracking with Kaspersky's telemetry data. Since April 2021 the malware appears to circulate through parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious add-in module uses the name "ExtenderControlDesigner" and is loaded through a PowerShell script.

  • Anvilogic Use Case: IIS Worker (W3WP) Spawn Command Line

Chat with our team to receive a free maturity assessment

Get in Touch