Register to stream ATT&CKcon 2.0 October 29-30


OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]

ID: S0072
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1022 Data Encrypted OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file. [1]
Enterprise T1073 DLL Side-Loading OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL. [1]
Enterprise T1083 File and Directory Discovery OwaAuth has a command to list its directory and logical drives. [1]
Enterprise T1056 Input Capture OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt. [1]
Enterprise T1036 Masquerading OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\. [1]
Enterprise T1071 Standard Application Layer Protocol OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions. [1]
Enterprise T1099 Timestomp OwaAuth has a command to timestop a file or directory. [1]
Enterprise T1100 Web Shell OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell. [1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 [1] [2]