On Microsoft Exchange Outlook Web Access servers, malicious actors are distributing a previously unknown malware, an Internet Information Services (IIS) webserver module branded “Owowa,” with the objective of stealing credentials and enabling remote command execution.
According to Kaspersky researchers Paul Rascagneres and Pierre Delcher, “Owowa is a C#developed.NET v4.0 assembly that is designed to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA).” “Owowa will steal credentials submitted by any user in the OWA login page and allow a remote operator to perform commands on the underlying server when loaded this manner.”