Researchers have uncovered advanced malware that can steal virtually all of a large organization's e-mail passwords by infecting its Outlook Web Application (OWA) mail server over an extended period of time.
Researchers from security firm Cybereason discovered the malicious OWA module after receiving a call from an unnamed company that had more than 19,000 endpoints. The customer had witnessed several behavioral abnormalities in its network and asked Cybereason to look for signs of an infection. Within a few hours, the security firm found a suspicious DLL file loaded into the company's OWA server. While it contained the same name as a benign DLL file, this one was unsigned and was loaded from a different directory.
The OWAAUTH.dll file contained a backdoor. Because it ran on the server, it was able to retrieve all HTTPS-protected server requests after they had been decrypted. As a result, the attackers behind this advanced persistent threat—the term given to malware campaigns that target a specific organization for months or years—were able to steal the passwords of just about anyone accessing the server.