Owowa Malware

Owowa Malware Description

Owowa is a potentially unsafe tool targeting Microsoft Exchange servers. It was identified in 2020, while researchers analyzed a previously unknown binary file, which turned out to be an IIS module. The harmful program has been developed in C# and, apparently, it is aimed at collecting credentials and enabling remote commands. Thus, this new malware threat seems like an effective option for attackers to gain a strong foothold in targeted networks by ensuring persistence within an Exchange server.

So far, several compromised servers have been identified in Asia. While most of them belong to government organizations, there is one that belongs to a government-owned transportation company.

Owowa is intended to be loaded as a module within an IIS server, as the only relevant code is located in the class ExtenderControlDesigner, which implements an IIS-specific interface. Specifically, Owowa is designed to inspect HTTP requests and responses by hooking a particular event raised when an IIS Web application sends content to the client. Therefore, Owowa’s goal is to collect the credentials of users who successfully authenticated on the OWA Web page.

The most recent sample found was detected in April 2021. However, researchers believe that the module was assembled several months before that. The corrupted module contains an additional assembly that is empty and unused and an AssemblyLoader class from a Costura namespace.

Researchers have not yet identified any link between Owowa and any other known threat actors, because the available data on the malware’s deployment and operation is still too scarce. Yet, the module’s developers have not removed the PDB paths in some of the analyzed samples. The specific user name “S3crt” found in the paths suggests there could be a link to the offensive tools Cobalt Strike and Core Impact.