Kaspersky Lab experts have discovered a malicious module Internet Information Services, which turns the Outlook on the web application into a credential theft tool and an analogue of the remote access panel. The module was named OWOWA.

Attackers could take advantage of the Outlook on the web use case that is included with Exchange Server installed on a company's infrastructure. Once they gain control of the application, they can get to all corporate correspondence. This provides many opportunities for both a deeper attack on the infrastructure and Business E-mail Compromises attacks.

The malicious WOWA module is loaded onto the correct IIS server for all running applications. However, it is specifically designed to steal credentials entered into OWA.

The malware scans the Outlook on the web login page, and as soon as the user enters their credentials and successfully receives an authentication token, it writes the login and password in encrypted form to a file. In addition, a hacker can control the functionality of OWOWA through the same form of authentication by entering special commands in its field. An attacker can upload the collected information, delete the log file, and execute arbitrary commands via PowerShell on the infected server. You can read more about how this scheme works on Securelist.

Kaspersky Lab experts found traces of OWOWA attacks on servers in several Asian countries - Malaysia, Mongolia, Indonesia and the Philippines. But there is a very high probability that European organizations may be of interest to cybercriminals as well. The Kaspersky Lab website says:

Most of the targets were government agencies. However, there was at least one transport company among them, but it also belonged to the state.

The OWOWA module (like any such malicious IIS module) on a web server can be detected using the appcmd.exe command or standard IIS configuration tools.

bbabo.Net