OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers by Threat group-3390. It affects theWindows and uses the filename owaauth.dll. OwaAuth captures and DES-encrypts credentials and by using keylogging functions.
Table of Contents
OwaAuth Malware Capabilities
OwaAuth may install malicious components on IIS web servers to establish persistence and communicate using application layer protocols associated with web traffic. OwaAuth may also log user keystrokes to intercept credentials, compress or encrypt data, modify file time attributes, and/or backdoor web servers with web shells.
- OwaAuth may be used to establish persistence on IIS web servers by installing malicious components as extensions or filters. It may communicate using application layer protocols to avoid detection. Additionally, it may match or approximate the name or location of legitimate files or resources when naming/placing them in order to evade defenses and observation.
- The OwaAuth malware may collect information from a host or network share, including credentials, and compress or encrypt the data before exfiltrating it. Keylogging may be used to acquire new credentials.
Ways to Mitigate OwaAuth Malware Attacks
- The OwaAuth malware can be mitigated by monitoring for the creation and modification of files that could be abused as malicious ISAPI extensions or IIS modules. Changes to the applicationhost.config file could indicate an IIS module installation.Network data should be analyzed for unusual data flows, and packet contents should be inspected for application layer protocols that do not follow expected standards. File hashes should be collected and compared to expected values, and files that are modified outside of an update or patch should be considered suspect.
- The above text discusses various methods that can be used to detect and mitigate the effects of OwaAuth malware. These methods include system and network discovery, keylogger detection, and custom archival detection.
About Threat group-3390 Threat Group
Threat group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims, active since at least 2010.