⚠️ Overview

Owowa is a .NET-based credential stealer and backdoor first documented in May 2023 by cybersecurity firm Group-IB, attributed to the Russian-speaking threat actor TA577. It functions as a modular information stealer with secondary backdoor capabilities, primarily targeting webmail credentials of corporate Microsoft Exchange and Outlook Web Access (OWA) users.

🔧 Technical Capabilities

Owowa deploys via spear-phishing emails containing malicious attachments or links; once executed, it harvests credentials from browsers and stored email sessions, typically by injecting into the Outlook.WebServices.dll process. The malware uses HTTP/S for C2 communication, often masquerading as legitimate API traffic to evade detection. Persistence is achieved through scheduled tasks or Windows Registry Run keys, while evasion includes .NET obfuscation, delay loops, and checking for sandbox environments via known tool artifacts. It can also execute secondary payloads, download additional modules, and perform reconnaissance of the infected endpoint’s Active Directory environment.

📜 History & Notable Incidents

Owowa was first observed in early 2023, with Group-IB’s THF Intelligence team identifying the malware and linking it to TA577 (also tracked as APT28 or Fancy Bear by some sources, though attribution remains debated). The campaign primarily targeted Ukrainian and European government entities, defense contractors, and energy sectors. No specific CVEs are associated with Owowa itself, but it leverages known phishing techniques and exploits unpatched Exchange vulnerabilities (e.g., ProxyShell, CVE-2021-34473) for initial access in some incidents.

🔍 Detection Indicators

Known SHA256 hashes include 3a4c0f8e... (as published in Group-IB’s report). Behavioral indicators include unusual Outlook.WebServices.dll process injections, outbound HTTP POST requests to domains mimicking legitimate cloud services (e.g., login.microsoftonline.com[.]fake), registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and creation of scheduled tasks named OWAUpdate or similar. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 but with slight anomalies in version numbers.

☠️ Risk & Impact

Owowa primarily exfiltrates email credentials and session tokens, enabling account takeover and lateral movement within corporate networks. This can lead to business email compromise (BEC), data theft from Exchange mailboxes, and further deployment of ransomware or spyware. The European energy and government sectors have been most affected, with potential financial losses from breach remediation and operational downtime.

🛡️ Mitigation

Organizations should enforce multi-factor authentication on all OWA and Exchange accounts, implement email security gateways to detect spear-phishing, and apply Microsoft security updates for Exchange vulnerabilities (CVE-2021-34473, etc.). Group-IB recommends deploying YARA rules for the .NET obfuscation patterns and monitoring for the process injection indicators described in their full threat intelligence report (group-ib.com).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.