Skip to content

S0072 OwaAuth

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. 1

Item Value
ID S0072
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 17 June 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.1
enterprise T1083 File and Directory Discovery OwaAuth has a command to list its directory and logical drives.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.006 Timestomp OwaAuth has a command to timestop a file or directory.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.1
enterprise T1505.004 IIS Components OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.1


Back to top