Malicious actors are deploying a previously undiscovered binary, an Internet Information Services (IIS) webserver module dubbed Owowa. Owowa is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA). Owawa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.
Kaspersky detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia, and the Philippines. No links have been unearthed between the Owowa operators and other publicly documented hacking groups. A username “S3crt” (read “secret”) that was found embedded in source code of the identified samples has yielded additional malware executables.