Microsoft Threat Intelligence Center (MSTIC) researchers outlined a new backdoor being used by the Nobelium cyberespionage APT group. The custom malware has been named FoggyWeb and is being used by the group to steal sensitive information from Active Directory Federation Services (AD FS) servers. FoggyWeb is a post-exploitation backdoor used by the APT group to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token signing certificates, and token decryption certificates. The backdoor also allows Nobelium to download and execute additional components. Nobelium uses the version.dll DLL to load FoggyWeb, which is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri. The AD FS executable Microsoft.IdentityServer.ServiceHost.exeloads version.dll through the DLL search order hijacking technique. This technique involves the core Common Language Runtime (CLR) DLL files. The loader also uses a custom Lightweight Encryption Algorithm (LEA). This routine is used to decrypt the backdoor directly in the memory. The backdoor configures HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server matching the custom URI patterns.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased