Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.
The development of Owowa likely started in late 2020 based on compilation data and when it was uploaded to the VirtusTotal malware scanning service.
Based on Kaspersky's telemetry data, the most recent sample in circulation is from April 2021, targeting servers in Malaysia, Mongolia, Indonesia, and the Philippines.
These systems belong to government organizations, public transportation companies, and other crucial entities.
Kaspersky underlines that the 'Owowa' targets aren't limited to Southeast Asia, and they have also seen signs of infections in Europe.