OwaAuth

Malware updated a month ago (2024-11-29T14:15:15.078Z)
Download STIX
Preview STIX
OwaAuth is a type of malware, specifically a web shell, that has been utilized by threat actors such as TG-3390 and BRONZE UNION to infiltrate Exchange servers. It operates by disguising itself as an ISAPI filter and shares characteristics with the ChinaChopper web shell. One unique feature of OwaAuth is that it requires a password for access, which often contains the name of the victim organization. This makes it a potent tool for cyberespionage, enabling unauthorized access to sensitive information and systems. The OwaAuth web shell provides a wide range of commands to the adversary, including the ability to upload and download files, launch processes, and execute SQL queries. This extensive command set increases its potential for damage and exploitation. If the OwaAuth web shell proves ineffective due to the victim using two-factor authentication for webmail, adversaries have been observed to switch tactics and deploy ChinaChopper web shells on other externally accessible servers. Despite its sophistication, there are measures organizations can take to protect against OwaAuth attacks. Detailed analysis and further information about the OwaAuth web shell, including its command set and operational mechanics, are available in Appendix C of the Secureworks research report. By understanding the nature of the threat, organizations can better anticipate and defend against these types of cyberattacks, thereby safeguarding their systems and data.
Description last updated: 2024-05-04T22:54:03.371Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the OwaAuth Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more