Search
  • For Individuals
      « Back
    • Windows Data Recovery

      Recovers lost or deleted Office documents, emails, presentations & multimedia files.

      Free Standard Professional Premium

    • Mac Data Recovery

      Recovers deleted files, photos, videos etc. on Mac.

      Free Standard Professional Premium

    • Photo Recovery

      Recover photos, videos, & audio files from all cameras and storage on Windows or Mac.

      Free Standard Professional Premium

    • Video Repair
    • Photo Repair
    • iPhone Data Recovery
  • For Business
      « Back
    • Email Repair & Converter

      Repair for Exchange Converter for EDB Converter for OST Converter for NSF Converter for OST MBOX Repair for Outlook

    • Database & File Repair

      Repair for MS SQL Repair for Access Repair for QuickBooks Software Repair for Excel Extractor for Windows Backup Repair for MySQL

    • Data Recovery & Erasure

      Data Recovery Professional Data Recovery Technician Mac Recovery for Technician Virtual Machine Recovery File Erasure Software Mobile Erasure Drive Erasure File Eraser Software File Eraser Software for Mac

    • Toolkit

      Exchange Toolkit Outlook Toolkit File Repair Toolkit MS SQL Toolkit Data Recovery Toolkit

    • Forensic

      Email Forensic Exchange Auditor Log Analyzer for MySQL Log Analyzer for MS SQL

  • Store
  • Partners
  • Services
  • Offers
  • Support

 

  • For Individuals
    DIY software for anyone who works with data.

    Windows Data Recovery Recovers lost or deleted Office documents, emails, presentations & multimedia files

    Free Standard Professional Premium

    Mac Data Recovery Especially for Mac users to recover deleted documents and multimedia files from macOS

    Free Standard Professional Premium

    Video Repair Windows Mac Repair multiple corrupt videos in one go. Supports MP4, MOV & other formats.

    StandardPremium

    Photo Recovery Windows Mac Recover photos, videos, & audio files from all cameras and storage on Windows or Mac.

    Standard Professional Premium

    iPhone Data Recovery Windows Mac Recover deleted photos, videos, contacts, messages etc. directly from iPhone & iPad

    Recover Erase Toolkit

    Photo Repair Windows Mac Repair multiple corrupt photos in one go. Supports JPEG & other formats.

    Standard Professional Premium


  • For Business
    • Email Repair
    • Email Converter
    • File Repair
    • Data Recovery & Erasure
    • Toolkit
    • Forensic

    Exchange Repair Repair corrupt EDB file & export mailboxes to Live Exchange or Office 365

    Outlook PST Repair Repair corrupt PST & recover all mailbox items including deleted emails & contacts

    OLM Repair Repair Outlook for Mac (OLM) 2011 & 2016 backup files & recover all mailbox items

    Exchange Toolkit Repair EDB & Exchange backup file to restore mailboxes, convert OST to PST, & convert EDB to PST

    Active Directory Repair Repair corrupt Active Directory database (Ntds.dit file) & extract all objects in original form

    EDB to PST Convert online & offline EDB file & extract all mailbox items including Public Folders in PST

    OST to PST Convert inaccessible OST file & extract all mailbox items including deleted emails in PST

    NSF to PST Convert IBM Notes NSF file & export all mailbox items including emails & attachments to PST

    MBOX to PST Convert MBOX file of Thunderbird, Entourage & other clients, & export mailbox data to PST

    OLM to PST Convert Outlook for Mac Data File (OLM) & export all mailbox data to PST in original form

    GroupWise to PST Convert GroupWise mail & export all mailbox items - emails, attachments, etc. - to PST

    EML to PST Convert Windows Live Mail (EML) file & export mailbox data - emails, attachments, etc. - to PST

    Office 365 to PST Connect to Office 365 account & export mailbox data to PST and various other formats

    DBX to PST Convert Outlook Express (DBX) file & export all mailbox data - emails, attachments, etc. - to PST

    SQL Repair Repair corrupt .mdf & .ndf files and recover all database components in original form

    Access Repair Repair corrupt .ACCDB and .MDB files & recover all records & objects in a new database

    QuickBooks Repair Repair corrupt QuickBooks® data file & recover all file components in original form

    MySQL Repair Repair MyISAM & InnoDB tables and recover all objects - keys, views, tables, triggers, etc.

    Excel Repair Repair corrupt Excel (.XLS & .XLSX) files and recover tables, charts, chart sheet, etc.

    BKF Repair Repair corrupt backup (BKF, ZIP, VHDX and .FD) files and restore complete data

    Database Converter Interconvert MS SQL, MySQL, SQLite, and SQL Anywhere database files

    PowerPoint Repair Repair corrupt PPT files and restore tables, header, footer, & charts, etc. like new

    File Repair Toolkit Repair corrupt Excel, PowerPoint, Word & PDF files & restore data to original form

    Data Recovery Windows Mac Recover lost or deleted data from HDD, SSD, external USB drive, RAID & more.

    Technician Toolkit

    Tape Data Recovery Retrives data from all types and capacities of tape drives including LTO 1, LTO 2, LTO 3, & others.

    Virtual Machine Recovery Recover documents, multimedia files, and database files from any virtual machine

    File Erasure Permanently wipe files and folders, and erase traces of apps and Internet activity.

    Standard Corporate

    Mobile Erasure Certified and permanent data erasure software for iPhones, iPads, & Android devices

    Drive Erasure Certified and permanent data erasure software for HDD, SSD, & other storage media Windows Mac

    Exchange Toolkit 5-in-1 software toolkit to recover Exchange database, convert EDB to PST, convert OST to PST, restore Exchange backup, and reset Windows Server password.

    Outlook Toolkit Comprehensive software suite to repair PST files, merge PST files, eliminate duplicate emails, compact PST files, and recover lost or forgotten Outlook passwords.

    File Repair Toolkit Powerful file repair utility to fix corrupt Word, PowerPoint, and Excel documents created in Microsoft Office. It also repairs corrupt PDF files and recovers all objects.

    MS SQL Toolkit 5-in-1 software toolkit to repair corrupt SQL database, restore database from corrupt backup, reset database password, analyze SQL logs, & interconvert databases.

    Data Recovery Toolkit Software helps to recovers deleted data from Windows, Mac and Linux storage devices. Also supports recovery from RAIDs & Virtual Drives.

    Email Forensic Advanced email forensic solution for cyber experts to audit, analyze, or investigate emails & gather evidences.

    Exchange Auditor Exchange Server monitoring solution to automate audits, scans and generate reports ìn real-time.

    Log Analyzer for MySQL Analyze forensic details of MySQL server database log files such as Redo, General Query, and Binary Log.

    Log Analyzer for MS SQL Track & analyze MS SQL Server database transactions log files.

    Email Forensic
    STELLAR EMAIL FORENSIC

    Advanced email forensic tool to analyze and collect the mailbox data of email clients

    Learn More arrow


    All Products arrow

    All Products arrow

    All Products arrow

    All Products arrow

  • Our Partners
  • Lab Services
  • microphone-icon-android

    Trending Searches

    Data Recovery

    Photo Recovery

    Video Repair

    iPhone Data Recovery

    File Erasure Software

    Exchange Repair

    OST to PST

    PST Repair

    Raid Recovery

    MS SQL Repair

  • English Deutsch Français Nederlands Italiano Español 日本語 简体中文
  • Support
Exchange Server 3 minute read

Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module

Published on December 22nd, 2021
Ravi Singh
Written By
Ravi Singh
Shaun Hardneck
Approved By
Shaun Hardneck

Summary: Once again hackers are found exploiting the ProxyLogon and ProxyShell vulnerabilities—patched by Microsoft earlier this year—to compromise the Exchange Server and deploy a malicious IIS Server module called Owowa. Kaspersky recently identified the malware module that steals credentials from OWA whenever a user logs into their account. In this blog, we discussed the malicious Owowa module with steps to detect the malware and safeguard your Exchange Server from it.

Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module

Security researchers at Kaspersky have discovered a new malicious IIS module called Owowa that harvests user credentials when they login to Outlook Web Access (OWA). The stealthy malware lingers on the IIS server to steal credentials when the user authentication request is made via OWA.

Researchers at Kaspersky have identified clusters of Microsoft Exchange Servers targeted by the malware in Asia—mainly in Malaysia, Indonesia, the Philippines, and Mongolia. Most of these servers belong to government organizations.

Besides harvesting user credentials, the malware allows hackers to control the server and run malicious commands remotely.

Contents

  • How Attackers are Using Owowa Malware to Steal Credentials?
  • How to Detect and Get Rid of Owowa Malware?
  • Conclusion

How Attackers are Using Owowa Malware to Steal Credentials?

Internet Information Services or IIS is a flexible Microsoft web server suite used to serve files and HTML pages. One can extend the IIS functionalities or add features by installing various add-ons called modules—similar to plugins in WordPress or add-ins in Outlook.  

Hackers are taking advantage of this and side loading the malicious Owowa module into the IIS server that infects the Exchange Server and exposes the OWA functions.

According to Kaspersky, the attack begins with compromising the unpatched Exchange Server by exploiting the ProxyLogon or ProxyShell vulnerabilities—already patched by Microsoft in March, April, and May 2021.

Attackers then sideload the Owowa module into the IIS web server, which exposes the Outlook Web Access (OWA). As per Kaspersky, the malicious module is first registered in the global assembly cache and loaded by the IIS server running the OWA application.

Once installed, a malicious actor can interact with the loaded Owowa module by executing specifically crafted commands—mentioned below—within the OWA’s Username and Password fields on the authentication page of the compromised Exchange Server.

outlook web app

According to Kaspersky,

  • If the OWA username is jFuLIXpzRdateYHoVwMlfc, Owowa will return the encrypted credentials log, encoded in base64.
  • If the OWA username is Fb8v91c6tHiKsWzrulCeqO, the malicious module deletes the content of the encrypted credentials log, and returns the OK string (encrypted using RSA).
  • If the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa executes the command that is typed in the OWA password field using PowerShell on the compromised server.

The Owowa responds to these commands via the IIS web server and returns the credentials, timestamp, and users’ IP address to the threat actor in a file encrypted with the RSA algorithm. The user does not notice any error or anything suspicious.

How to Detect and Get Rid of Owowa Malware?

The malicious IIS Module—Owowa—stays persistent even after an Exchange software update, making it an effective tool for attackers. Moreover, it is a much stealthier alternative to phishing emails as it passively steals the user credentials from users accessing the web services.

To detect and identify if your Exchange server is compromised by the Owowa malware, administrators can run the appcmd.exe or IIS configuration tool to retrieve the list of loaded modules on the IIS Server.

The malicious Owowa module uses the ‘ExtenderControlDesigner’ name.

remove ExtenderControlDesigner Owowa malware exchange

Source: Kaspersky

Remove the IIS module and patch your server immediately by installing the latest Cumulative and Security Updates released by Microsoft for your Exchange Server version.

To learn more, refer to our guide on installing Exchange Server Cumulative and Security updates.

Conclusion

Owowa malware reminds the risks of not installing the Microsoft Exchange Server Security and Cumulative Updates to patch the vulnerabilities. It also highlights the need to check IIS Server modules regularly to check on malicious activities and ensure endpoint security shields are enabled.

In this blog, we have discussed the Owowa malware, its working, and steps to get rid of it. However, it is recommended to set up a new Exchange Server and move mailboxes from your compromised Exchange Server. There can be hidden backdoors or web shells installed by the attacker that can be used to compromise your server or network later.

However, if the server or database is damaged due to a malicious attack, you can use Exchange recovery software, such as Stellar Repair for Exchange, to extract mailboxes from corrupt databases and export them directly to your new Exchange server.

This tool can help you minimize downtime and save you from the huge manual efforts required in recovering and restoring mailboxes. If you need more help, leave a comment or reach us via the Self Help and Support page.

About The Author

Ravi Singh

Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 6 years of experience in technical writing. He writes about Data Recovery, File Repair, Email Migration, Linux, Windows, Mac, and DIY Tech. Ravi spends most of his weekends working with IoT devices and playing games on the Xbox. He is also a solo traveler who loves hiking and exploring new trails.

Best Selling Products

Stellar Repair for Exchange

Stellar Repair for Exchange

Software recommended by MVPs & Administr

Read More
Stellar Toolkit for Exchange

Stellar Toolkit for Exchange

5-in-1 suite of specialized tools, highl

Read More
Stellar Converter for EDB

Stellar Converter for EDB

Stellar Converter for EDB is a professio

Read More
Stellar Converter for OST

Stellar Converter for OST

Powerful software trusted by Microsoft M

Read More

Table of Contents    

  1. How Attackers are Using Owowa Malware to Steal Credentials?
  2. How to Detect and Get Rid of Owowa Malware?
  3. Conclusion

Categories

offer banner

Related Posts

related post
Exchange Server

New ToddyCat APT Gang Targeting Microsoft Exchange Servers

Stellar Author Ravi Singh June 24, 2022 Read More
related post
Exchange Server

‘BlackCat’ Ransomware Crew Targeting Unpatched Microsoft Exchange Servers

Stellar Author Ravi Singh June 21, 2022 Read More
related post
Exchange Server

How to Fix Error – LDAP Server is Unavailable?

Stellar Author Ravi Singh June 1, 2022 Read More

Stellar Official Website

Stellar Data Recovery Inc.
48 Bridge Street Metuchen,
New Jersey 08840,
United States

ALSO AVAILABLE AT

Partner Logo

About

  • About us
  • Career
  • ISMS Policy
  • Privacy Policy
  • Terms of Use
  • License Policy
  • Refund Policy
  • End User License Agreement

RESOURCES

  • Blog
  • Articles
  • Product Videos
  • Knowledge Base
  • Case Studies
  • Whitepapers
  • Software Catalog

NEWS & EVENTS

  • News
  • Events

PARTNERS

  • Affiliates
  • Resellers
  • Distributors

Useful Links

  • Contact Us
  • Support
  • Special Offers
  • Student Discounts
  • Awards & Reviews
  • Downloads
  • Store
  • Sitemap
Follow Us

tw in yt

Stellar & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2022 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

Hippa Logo tuv footer partner logo DMCA.com Protection Status
We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!