OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]

ID: S0072
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1022Data EncryptedOwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.[1]
EnterpriseT1073DLL Side-LoadingOwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.[1]
EnterpriseT1083File and Directory DiscoveryOwaAuth has a command to list its directory and logical drives.[1]
EnterpriseT1056Input CaptureOwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.[1]
EnterpriseT1036MasqueradingOwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.[1]
EnterpriseT1071Standard Application Layer ProtocolOwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.[1]
EnterpriseT1099TimestompOwaAuth has a command to timestop a file or directory.[1]
EnterpriseT1100Web ShellOwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.[1]


Groups that use this software:

Threat Group-3390