OwaAuth

Description

(SecureWorks) A web shell and credential stealer deployed to Microsoft Exchange servers. It is installed as an ISAPI filter. Captured credentials are DES-encrypted using the password ‘12345678’ and are written to the log.txt file in the root directory. Like the China Chopper web shell, the OwaAuth web shell requires a password. However, the OwaAuth web shell password contains the victim organization’s name.

Names

Name
OwaAuth
luckyowa

Type

Backdoor
Credential stealer

Information

https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/

Mitre Attack

https://attack.mitre.org/software/S0072/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth

Other Information

Uuid

0dd041d7-9044-4ec3-b5cc-485b6bf92f8f

Last Card Change

2020-05-14

Threat Intelligence Garden

Explorer

OwaAuth

OwaAuth

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks