Owowa

Owowa is a malicious IIS backdoor module targeting Microsoft Exchange Outlook Web Access (OWA) servers. It was first documented in late 2021 and is described as a C# .NET v4.0 assembly loaded into IIS as an HTTP module on servers exposing Exchange OWA. Its core functions are credential theft and remote command execution: it intercepts OWA authentication flows, captures successfully submitted usernames and passwords, and allows an operator to execute commands on the underlying server through specially crafted values entered into the OWA username and password fields.

Reported behavior includes hooking IIS request/response handling, ignoring mailbox names beginning with "HealthMailbox", and logging the username, password, source IP address, and timestamp for successful OWA logins. The stolen data is stored at C:\Windows\Temp\af397ef28e484961ba48646a5d38cf54.db.ses and encrypted with a hardcoded RSA public key. Documented operator command strings include "jFuLIXpzRdateYHoVwMlfc" to retrieve the encrypted credential log in Base64 form, "Fb8v91c6tHiKsWzrulCeqO" to delete the log and return an RSA-encrypted "OK", and "dEUM3jZXaDiob8BrqSy2PQO1" to execute a PowerShell command supplied in the password field and return RSA-encrypted output.

Owowa can be installed as an IIS module by placing the DLL in the Global Assembly Cache and registering it with IIS, providing stealthy persistence on Exchange servers. It can be identified by enumerating IIS modules and looking for the module entry "ExtenderControlDesigner". Additional reported artifacts include a public key token of b07504c8144c2a49 and PDB paths beginning with C:\Users\S3crt\source\repos\ClassLibrary2\ in some samples.

Victimology reported by researchers includes compromised Exchange servers in Asia, including Malaysia, Mongolia, Indonesia, and the Philippines, with most identified victims being government organizations and one a government-owned transportation company. Researchers assessed that additional European victims may also exist. The initial deployment vector was not definitively established, though reporting notes possible deployment via Exchange exploitation such as ProxyLogon and references earlier mass exploitation of ProxyLogon and the Owowa module.

Owowa was later observed in modified form in attacks attributed by Kaspersky to the GOFFEE threat actor. From May 2022 until summer 2023, GOFFEE deployed a modified Owowa IIS module in campaigns targeting organizations exclusively in the Russian Federation. Kaspersky linked this Russia-focused activity to an email-based intrusion chain and described GOFFEE as an ongoing campaign. High-confidence targeting associated with GOFFEE includes Russian organizations in sectors such as media, telecommunications, construction, government, and energy, although those sector details are tied to the broader GOFFEE campaign rather than specifically to Owowa deployments.