SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

OwaAuth

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. ^[1]

ID: S0072

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 31 May 2017

Last Modified: 17 June 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.^[1]
Enterprise	T1560	.003	Archive Collected Data: Archive via Custom Method	OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.^[1]
Enterprise	T1083		File and Directory Discovery	OwaAuth has a command to list its directory and logical drives.^[1]
Enterprise	T1070	.006	Indicator Removal on Host: Timestomp	OwaAuth has a command to timestop a file or directory.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, `C:\log.txt`.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in `%ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\`; the malicious file by the same name is saved in `%ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\`.^[1]
Enterprise	T1505	.003	Server Software Component: Web Shell	OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.^[1]
		.004	Server Software Component: IIS Components	OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.^[1]

Groups That Use This Software

ID	Name	References
G0027	Threat Group-3390	^[1]^[2]

References

Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.

Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.