{
	"id": "2af0c351-c22a-4b9d-a222-5ee8fe932c3b",
	"created_at": "2026-04-06T00:07:51.036705Z",
	"updated_at": "2026-04-10T03:21:11.861351Z",
	"deleted_at": null,
	"sha1_hash": "3de6ea2dbfa1d754afdc2bf9be71b82b37f05470",
	"title": "Owowa: the add-on that turns your OWA into a credential stealer and remote access panel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 510961,
	"plain_text": "Owowa: the add-on that turns your OWA into a credential stealer and\r\nremote access panel\r\nBy Paul Rascagneres\r\nPublished: 2021-12-14 · Archived: 2026-04-05 16:44:57 UTC\r\nWhile looking for potentially malicious implants that targeted Microsoft Exchange servers, we identified a suspicious binary\r\nthat had been submitted to a multiscanner service in late 2020. Analyzing the code, we determined that the previously\r\nunknown binary is an IIS module, aimed at stealing credentials and enabling remote command execution from OWA. We\r\nnamed the malicious module ‘Owowa’, and identified several compromised servers located in Asia.\r\nMeet Owowa, the IIS module you don’t want\r\nOwowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also\r\nexposes Exchange’s Outlook Web Access (OWA). When loaded this way, Owowa will steal credentials that are entered by\r\nany user in the OWA login page, and will allow a remote operator to run commands on the underlying server.\r\nThe malicious module was most likely compiled between late 2020 and April 2021. The assembly default “LegalCopyright”\r\nfield shows “2020” as a date, and the most recent Owowa sample we could find was detected in April 2021 in our telemetry.\r\nThe assembly contains a reference to a debugging database (PDB) in its “File” property, and its public key token is set to\r\n“b07504c8144c2a49”.\r\nWe determined that Owowa is intended to be launched as an IIS module because the only relevant code is placed in the class\r\nExtenderControlDesigner, which implements an IIS-specific interface (IHttpModule). Owowa is specifically designed to\r\ninspect HTTP requests and responses by hooking the PreSendRequestContent event. This event is supposedly raised when a\r\nweb application of IIS is about to send content to the client (but according to Microsoft, such an event should never be used\r\nin an IHttpModule instance because it is likely to cause an application or server crash).\r\nMalicious HTTP module definition\r\nWe determined that Owowa is specifically targeting OWA applications of Exchange servers because its code is purposely\r\nignoring requests from OWA-specific monitoring of account names that start with the HealthMailbox string.\r\nThe malicious module is actually designed to log credentials of users that successfully authenticated on the OWA\r\nauthentication web page. Successful authentication is verified by checking that the OWA application is sending an\r\nauthentication token back to the user. If that’s the case, the username, password, user’s IP address and current timestamp are\r\nstored in a file at C:\\Windows\\Temp\\af397ef28e484961ba48646a5d38cf54.db.ses. Data are encrypted using the RSA\r\nalgorithm, with a hardcoded public key stored as an XML blob:\r\n\u003cRSAKeyValue\u003e\r\n\u003cModulus\u003evTxV8wUJ0PoO2yu/Pm/aICbsT+nFwHXouNo623VIVMl6LY4R96a8cpMTHw92rs0foNcVJB8/SYQvL/6Ko9aOv1K3mm3Txa3Dfe6C\r\n\u003c/Modulus\u003e\u003cExponent\u003eAQAB\u003c/Exponent\u003e\u003c/RSAKeyValue\u003e\r\nA malicious operator can interact with Owowa by entering specifically crafted commands within the username and password\r\nfields in the OWA authentication page of a compromised server. Owowa will respond to these commands through the IIS\r\nserver, and display the results to the operator, instead of the expected OWA login error messages:\r\nhttps://securelist.com/owowa-credential-stealer-and-remote-access/105219/\r\nPage 1 of 5\n\nif the OWA username is jFuLIXpzRdateYHoVwMlfc, Owowa will return the encrypted credentials log, encoded in\r\nbase64;\r\nif the OWA username is Fb8v91c6tHiKsWzrulCeqO, the malicious module deletes the content of the encrypted\r\ncredentials log, and returns the OK string (encrypted using RSA);\r\nIf the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa executes the command that is typed in the OWA\r\npassword field using PowerShell on the compromised server. The result of the command is encrypted (as previously\r\ndescribed) and returned to the operator.\r\nOwowa contains an empty and unused additional assembly, stored as a compressed resource, as well as an additional\r\nAssemblyLoader class from a Costura namespace. These are most likely the result of using the Fody bytecode weaving tool\r\nand its Costura add-in from the build chain of Owowa’s developer. Fody allows .NET developers to dynamically add\r\nfeatures to assemblies at compilation time by weaving, or dynamically modifying the assembly bytecode. In particular,\r\nCostura is aimed at packaging dependencies, by adding these dependencies as compressed resources to the assembly. These\r\nCostura by-products could either be left-overs from the developer’s build chain or an obfuscation attempt that is still being\r\ndeveloped, since Owowa’s malicious code could potentially be hidden as a compressed resource within a Costura-built\r\nassembly.\r\nIIS modules management: loading, finding and getting rid of Owowa\r\nOwowa is loaded (for all compatible applications run by a given IIS server, including OWA) by the following PowerShell\r\nscript:\r\n[System.Reflection.Assembly]::Load('System.EnterpriseServices, Version=4.0.0.0, Culture=neutral,\r\nPublicKeyToken=b03f5f7f11d50a3a');\r\n$publish = New-Object System.EnterpriseServices.Internal.Publish;\r\n$name = (Get-Item PATH\\ExtenderControlDesigner.dll).FullName;\r\n$publish.GacInstall($name);\r\n$type = 'System.Web.Extensions.Resource.ExtenderControlDesigner,' +\r\n[System.Reflection.AssemblyName]::GetAssemblyName($name).FullName;\r\nAppcmd.exe add module /name:ExtenderControlDesigner /type:\"$type\"\r\nThe module is first registered in the global assembly cache, and can then be loaded by the IIS server that is running the\r\nOWA application. This setup technique is very reminiscent of one previously used by an unknown threat actor and described\r\nby RSA in March 2020 as part of an incident investigation that also involved malicious HTTP modules.\r\nMalicious IIS modules, and Owowa in particular, can be identified by using the command appcmd.exe or the IIS\r\nconfiguration tool, which lists all the loaded modules on a given IIS server instance:\r\nC:\\Windows\\System32\\inetsrv\u003eappcmd.exe list modules | findstr ExtenderControl\r\nMODULE \"ExtenderControlDesigner\" (\r\ntype:System.Web.Extensions.Resource.ExtenderControlDesigner,ExtenderControlDesigner, Version=1.0.0.0,\r\nCulture=neutral, PublicKeyToken=b07504c8144c2a49, preCondition: )\r\nMalicious module in the IIS configuration manager\r\nOwowa victims\r\nWe identified a cluster of targets in Asia with compromised servers in Malaysia, Mongolia, Indonesia and the Philippines.\r\nMost of them belong to government organizations, except for one that belongs to a government-owned transportation\r\nhttps://securelist.com/owowa-credential-stealer-and-remote-access/105219/\r\nPage 2 of 5\n\ncompany.\r\nGeography of Owowa targets\r\nWhile we did not discover further compromised servers, we assess with medium to high confidence that additional\r\norganizations may also have been targeted in Europe, based on additional data that we provided to customers of our threat\r\nintelligence services and that we cannot publicly disclose.\r\nAttribution\r\nWe couldn’t find any link between Owowa and any known threat actor, due to insufficient data regarding Owowa’s\r\ndeployment. However, the developer behind Owowa failed to remove the PDB paths in the two identified samples, which\r\nboth start with C:\\Users\\S3crt\\source\\repos\\ClassLibrary2\\, suggesting a specific username.\r\nSearching for potentially related resources, we identified a Keybase account sharing the same user name – s3crt – with the\r\naforementioned PDB paths. Notably, it shares offensive tools, such as Cobalt Strike and Core Impact:\r\ns3crt Keybase account\r\nThe same username also exists as an account on RAID Forums, demonstrating an interest in Core Impact, a popular\r\npenetration testing software suite:\r\ns3crt RAID Forums account\r\nFinally, we identified a blog profile on CSDN displaying both the s3crt and z7ys as usernames (the blog title is\r\n“z7ys’_s3crt_CSDN博客-XSS领域博主”). The user shows an interest in hacking techniques and distributes files that\r\nhttps://securelist.com/owowa-credential-stealer-and-remote-access/105219/\r\nPage 3 of 5\n\nsupposedly contain leaked Cobalt Strike source code, dating to November 2018:\r\ns3crt CSDN account[1]\r\nLeveraging these clues, the PDB paths and corresponding username, we identified several additional malicious binary files\r\nthat may have been developed or packaged by the same developer:\r\nA binary loader (MD5: D4BDFB90D9AA6D573F3FF3A755E2E630) containing a PDB path that shares a common\r\nroot with Owowa’s: C:\\Users\\S3crt\\source\\repos\\Shellcode_inject\\Release\\artifact32.pdb.\r\nThis binary was submitted to a multiscanner service in September 2021, but was first spotted in the wild in August\r\n2020. It is designed to decode (XOR) and execute an embedded shellcode. The shellcode was downloading a\r\nmalicious payload from the IP 150.109.111[.]208 in August 2020. The server was not serving such a payload at the\r\ntime of our investigation, though based on our telemetry we assume with high confidence it was related to Cobalt\r\nStrike;\r\nWe identified another similar binary loader (MD5: 3C5654DDD7998AE39717F7E3D079BD93), first spotted in\r\nAugust 2020, that supposedly also loaded a Cobalt Strike-like payload from 150.109.111[.]208 in August 2020;\r\nFinally, we identified an additional binary loader (MD5: 3DB7101794CB166CA672814728F4E8D7) that was\r\ndetected in March 2021 connecting to the domain s3crt[.]biz that also triggered execution of Cobalt Strike payloads.\r\nThe loader’s PDB is C:\\Users\\Administrator\\source\\repos\\Artifact\\x64\\Aritfact_big\\Artifact.pdb, which is similar in\r\nstructure to those involving s3crt.\r\nIt should be noted that the s3crt username is a simple derivation of the English word “secret” and could very well be used by\r\nmultiple individuals. Hence, we cannot be certain that the identified accounts and files are actually linked to the developer of\r\nOwowa or related to each other. However, the combination of corresponding usernames, PDB paths, projects names and\r\ninterests in malicious tools or tactics are notable.\r\nConclusion\r\nThe malicious module described in this post represents an effective option for attackers to gain a strong foothold in targeted\r\nnetworks by persisting inside an Exchange server. For malicious operators there are several benefits:\r\nAn IIS module stays persistent on a compromised system even to a Exchange software update;\r\nMalicious capabilities can easily be triggered by directly sending seemingly innocuous requests to exposed web\r\nservices – in this case, authentication requests to OWA. Malicious requests like this can be difficult to detect with\r\nnetwork monitoring;\r\nIIS modules are not a common format for backdoors, especially when compared to typical web application threats\r\nlike web shells and can therefore easily be missed during standard file monitoring efforts;\r\nThe attacker can leverage the module to passively steal credentials from users that legitimately access web services,\r\nwhich presents a stealthier alternative to sending phishing emails.\r\nUnfortunately, we were unable to retrieve enough data to associate the discovered malicious module with any infection\r\nchain or post-infection activities. Earlier this year, the ProxyLogon vulnerabilities demonstrated the impact of Exchange\r\nserver compromise, as well as how quickly threat actors are able to jump on the bandwagon to leverage critical flaws and\r\npursue their goals. It’s possible that malicious operators leveraged these server vulnerabilities to initially deploy Owowa.\r\nWhile showing creativity in Owowa’s development, the creator ignored explicit warnings from Microsoft regarding several\r\nrisky development practices for HTTP modules, which may result in server crashes. Moreover, sensitive information on the\r\ndevelopment environment (PDB paths, Fody by-products) remained in publicly available samples. Further samples or online\r\nprofiles can be weakly linked to this kind of information.\r\nThe operators behind Owowa demonstrated an interest in government organizations in Asia and specifically South-East\r\nAsia. Such targeting may fit a threat actor seeking to gather intelligence on ASEAN’s agenda and member states’ foreign\r\npolicies. However, the practices exhibited by what is likely an inexperienced developer don’t appear to correspond with such\r\nstrategic targeting.\r\nhttps://securelist.com/owowa-credential-stealer-and-remote-access/105219/\r\nPage 4 of 5\n\nIndicators of Compromise\r\nOwowa:\r\naf6507e03e032294822e4157134c9909\r\nea26bed30da01f5d81c3d96af59424acf2fbb14b\r\n8e1e0ddeb249b9f8331b1562498d2cbd9138ec5e00c55a521d489e65b7ef447d\r\nPossibly related malicious loaders:\r\nd4bdfb90d9aa6d573f3ff3a755e2e630\r\n2e5a752f8d1c3b0ba819381c4539006d40692ee9\r\ndac4c2e5318bf0feca535b2116bd48e72d8f36ff7ec8f3bd176fd7e57bd37fc1\r\n3c5654ddd7998ae39717f7e3d079bd93\r\n8429a32acfed3f010502a5b88199cc0367f92fd7\r\n54fecd3227a435c17463f543eacdb7482fc7b2fde4db1d12d16aab94dfdf4085\r\n3db7101794cb166ca672814728f4e8d7\r\nf8b5d7370b56e127449760701b97bf8f43d16852\r\nf167279c692a14fee15bb1f8eb8a9b6edd43cf74d2b590b27129fd69e6b3de88\r\nPDB Paths:\r\nC:\\Users\\S3crt\\source\\repos\\ClassLibrary2\\obj\\Release\\ExtenderControlDesigner.pdb\r\nC:\\Users\\S3crt\\source\\repos\\ClassLibrary2\\obj\\Release\\ClassLibrary2.pdb\r\nC:\\Users\\S3crt\\source\\repos\\Shellcode_inject\\Release\\artifact32.pdb\r\nC:\\Users\\Administrator\\source\\repos\\Artifact\\x64\\Aritfact_big\\Artifact.pdb\r\nPossibly related Cobalt Strike C2:\r\n150.109.111[.]208\r\nPossibly related suspicious domain:\r\ns3crt[.]biz\r\n[1]\r\n Note that the picture used in the profile is of a martial art practitioner and is unrelated.\r\nSource: https://securelist.com/owowa-credential-stealer-and-remote-access/105219/\r\nhttps://securelist.com/owowa-credential-stealer-and-remote-access/105219/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/owowa-credential-stealer-and-remote-access/105219/"
	],
	"report_names": [
		"105219"
	],
	"threat_actors": [],
	"ts_created_at": 1775434071,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3de6ea2dbfa1d754afdc2bf9be71b82b37f05470.pdf",
		"text": "https://archive.orkl.eu/3de6ea2dbfa1d754afdc2bf9be71b82b37f05470.txt",
		"img": "https://archive.orkl.eu/3de6ea2dbfa1d754afdc2bf9be71b82b37f05470.jpg"
	}
}