Cyber Security

OwaAuth Malware Report: What Is OwaAuth and How Does It Work?

Reactionary Times News DeskOct 4, 2022 10:18 PM
0 14 1 minute read
OwaAuth is a backdoor that allows remote access to IIS web servers and may also log user keystrokes to intercept credentials, compress or encrypt data, modify file time attributes, and/or backdoor web servers with web shells. Credit: Shutterstock

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers by Threat group-3390. It affects theWindows and uses the filename owaauth.dll. OwaAuth captures and DES-encrypts credentials and by using keylogging functions.

OwaAuth Malware Capabilities

OwaAuth may install malicious components on IIS web servers to establish persistence and communicate using application layer protocols associated with web traffic. OwaAuth may also log user keystrokes to intercept credentials, compress or encrypt data, modify file time attributes, and/or backdoor web servers with web shells.

  • OwaAuth may be used to establish persistence on IIS web servers by installing malicious components as extensions or filters. It may communicate using application layer protocols to avoid detection. Additionally, it may match or approximate the name or location of legitimate files or resources when naming/placing them in order to evade defenses and observation.
  • The OwaAuth malware may collect information from a host or network share, including credentials, and compress or encrypt the data before exfiltrating it. Keylogging may be used to acquire new credentials.

Ways to Mitigate OwaAuth Malware Attacks

  • The OwaAuth malware can be mitigated by monitoring for the creation and modification of files that could be abused as malicious ISAPI extensions or IIS modules. Changes to the applicationhost.config file could indicate an IIS module installation.Network data should be analyzed for unusual data flows, and packet contents should be inspected for application layer protocols that do not follow expected standards. File hashes should be collected and compared to expected values, and files that are modified outside of an update or patch should be considered suspect.
  • The above text discusses various methods that can be used to detect and mitigate the effects of OwaAuth malware. These methods include system and network discovery, keylogger detection, and custom archival detection.

About Threat group-3390 Threat Group

Threat group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims, active since at least 2010.

Reactionary Times News DeskOct 4, 2022 10:18 PM
0 14 1 minute read
Reactionary Times News Desk

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Photo of Uncovering the Latest BEC Fraud Scheme: Nigerian National Arrested for $7.5 Million Scam Targeting US Charitable Organizations

Uncovering the Latest BEC Fraud Scheme: Nigerian National Arrested for $7.5 Million Scam Targeting US Charitable Organizations

Jan 9, 2024 1:20 PM
Photo of The Latest in Cybersecurity: Incidents, Vulnerabilities, and Industry Developments

The Latest in Cybersecurity: Incidents, Vulnerabilities, and Industry Developments

Jan 9, 2024 1:02 PM
Photo of Enhancing Cybersecurity: Okta's Acquisition of Spera Security and the Future of Identity Threat Detection

Enhancing Cybersecurity: Okta's Acquisition of Spera Security and the Future of Identity Threat Detection

Dec 31, 2023 10:40 AM
Photo of Troubleshooting Xvdd SCSI Miniport Issues in Virtualization Environments: Causes, Solutions, and Recommendations

Troubleshooting Xvdd SCSI Miniport Issues in Virtualization Environments: Causes, Solutions, and Recommendations

Dec 29, 2023 10:41 AM

Leave a Reply

Loading...
Back to top button