OwaAuth
OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.[1] |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.[1] |
| Enterprise | T1083 | 文件和目录发现 |
OwaAuth has a command to list its directory and logical drives.[1] |
|
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.[1] |
| .004 | 服务器软件组件: IIS Components |
OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.[1] |
||
| Enterprise | T1070 | .006 | 移除指标: Timestomp | |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, |