Microsoft Threat Intelligence Center (MSTIC) researchers outlined a new backdoor being used by the Nobelium cyberespionage APT group. The custom malware has been named FoggyWeb and is being used by the group to steal sensitive information from Active Directory Federation Services (AD FS) servers. FoggyWeb is a post-exploitation backdoor used by the APT group to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token signing certificates, and token decryption certificates. The backdoor also allows Nobelium to download and execute additional components. Nobelium uses the version.dll DLL to load FoggyWeb, which is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri. The AD FS executable Microsoft.IdentityServer.ServiceHost.exeloads version.dll through the DLL search order hijacking technique. This technique involves the core Common Language Runtime (CLR) DLL files. The loader also uses a custom Lightweight Encryption Algorithm (LEA). This routine is used to decrypt the backdoor directly in the memory. The backdoor configures HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server matching the custom URI patterns.
The Nobelium APT is known for targeting government and non-government organizations, think tanks, IT service providers, health technology, and telecommunications companies. The group has conducted supply-chain attacks in the past, including the SolarWinds attack which used a variety of malware families. Microsoft experts provided the following recommendations to organizations that have been compromised or that suspect to be under attack by the group:
- Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access.
- Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
- Use a Hardware Security Module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.
Utilizing a monitoring service such as Binary Defense’s Managed Detection and Response (MDR) is a great tool for organizations looking to prevent damage from attacks targeting them. This, in conjunction with the 24/7/365 Security Operations Task Force, allows companies assurance that they are being protected against attacks such as these.