Malicious Microsoft Exchange IIS Module - Owowa
Industry: Government & Transportation | Level: Tactical | Source: SecureList
Kaspersky shared intelligence of a malicious implant targeting Outlook Web Access (OWA) applications of Exchange servers dubbed "Owowa." The implant is capable of enabling remote command execution and capturing user credentials of users who successfully authenticate through OWA. The discovery of Owowa came about in late 2020 from sample submission to VirusTotal and from tracking with Kaspersky's telemetry data. Since April 2021 the malware appears to circulate through parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious add-in module uses the name "ExtenderControlDesigner" and is loaded through a PowerShell script.
- Anvilogic Use Case: IIS Worker (W3WP) Spawn Command Line