Owowa: the add-on that turns your OWA into a credential stealer and remote access panel
released on 2021-12-14 @ 03:13:55 PM
While looking for potentially malicious implants that targeted Microsoft Exchange servers, researchers identified a suspicious binary that had been submitted to a multiscanner service in late 2020. Analyzing the code, they determined that the previously unknown binary is an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. They named the malicious module ‘Owowa’, and identified several compromised servers located in Asia.