JUST RELEASED: ATT&CK for Industrial Control Systems


OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]

ID: S0072
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1022 Data Encrypted

OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.[1]

Enterprise T1073 DLL Side-Loading

OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.[1]

Enterprise T1083 File and Directory Discovery

OwaAuth has a command to list its directory and logical drives.[1]

Enterprise T1056 Input Capture

OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.[1]

Enterprise T1036 Masquerading

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.[1]

Enterprise T1071 Standard Application Layer Protocol

OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.[1]

Enterprise T1099 Timestomp

OwaAuth has a command to timestop a file or directory.[1]

Enterprise T1100 Web Shell

OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 [1] [2]