OwaAuth

OwaAuth is a type of malware, specifically a web shell, that has been utilized by threat actors such as TG-3390 and BRONZE UNION to infiltrate Exchange servers. It operates by disguising itself as an ISAPI filter and shares characteristics with the ChinaChopper web shell. One unique feature of OwaAuth is that it requires a password for access, which often contains the name of the victim organization. This makes it a potent tool for cyberespionage, enabling unauthorized access to sensitive information and systems. The OwaAuth web shell provides a wide range of commands to the adversary, including the ability to upload and download files, launch processes, and execute SQL queries. This extensive command set increases its potential for damage and exploitation. If the OwaAuth web shell proves ineffective due to the victim using two-factor authentication for webmail, adversaries have been observed to switch tactics and deploy ChinaChopper web shells on other externally accessible servers. Despite its sophistication, there are measures organizations can take to protect against OwaAuth attacks. Detailed analysis and further information about the OwaAuth web shell, including its command set and operational mechanics, are available in Appendix C of the Secureworks research report. By understanding the nature of the threat, organizations can better anticipate and defend against these types of cyberattacks, thereby safeguarding their systems and data.