OwaAuth

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
OwaAuth is a type of malware, specifically a web shell, that has been utilized by threat actors such as TG-3390 and BRONZE UNION to infiltrate Exchange servers. It operates by disguising itself as an ISAPI filter and shares characteristics with the ChinaChopper web shell. One unique feature of OwaAuth is that it requires a password for access, which often contains the name of the victim organization. This makes it a potent tool for cyberespionage, enabling unauthorized access to sensitive information and systems. The OwaAuth web shell provides a wide range of commands to the adversary, including the ability to upload and download files, launch processes, and execute SQL queries. This extensive command set increases its potential for damage and exploitation. If the OwaAuth web shell proves ineffective due to the victim using two-factor authentication for webmail, adversaries have been observed to switch tactics and deploy ChinaChopper web shells on other externally accessible servers. Despite its sophistication, there are measures organizations can take to protect against OwaAuth attacks. Detailed analysis and further information about the OwaAuth web shell, including its command set and operational mechanics, are available in Appendix C of the Secureworks research report. By understanding the nature of the threat, organizations can better anticipate and defend against these types of cyberattacks, thereby safeguarding their systems and data.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Iis
Web Shell
Outlook
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AspxtoolUnspecified
1
ASPXTool is a type of malware, specifically a modified version of the ASPXSpy web shell. This malicious software is designed to infiltrate and exploit computer systems, often entering undetected through suspicious downloads, emails, or websites. Once inside a system, it can steal personal informatio
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the OwaAuth Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Threat Group-3390 Targets Organizations for Cyberespionage
MITRE
a year ago
BRONZE UNION Cyberespionage Persists Despite Disclosures
MITRE
a year ago
Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”