There’s a new backdoor in the wild attributed to the NOBELIUM threat actor, believed to be behind SUNBURST backdoor, TEARDROP malware, and “related components”.
According to Microsoft Threat Intelligence Center (MSTIC), the so-called FoggyWeb is a post-exploitation backdoor. The NOBELIUM threat actor employs multiple techniques to carry out credential theft. Its current target is gaining admin-level access to Active Directory Federation Services (AD FS) servers, the company said.
FoggyWeb Backdoor: Overview
Once access is obtained to a compromised server, the threat actor’s purpose is to maintain persistence and deepen its infiltration via sophisticated malware. FoggyWeb, being a post-exploitation tool, serves this purpose. It remotely exfiltrates the configuration database of the compromised AD FS servers, as well as decrypted token-signing and token-decryption certificates.
The malware also downloads and executes additional components, as per the attackers’ specific needs. FoggyWeb has been used in active campaigns since April 2021, Microsoft said in a very detailed technical write-up.
The backdoor is also described as “passive” and “highly targeted,” with sophisticated data exfiltration capabilities. “It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” the researchers added. It is also noteworthy that the malware operates by allowing abuse of the Security Assertion Markup Language (SAML) token in AD FS.
“The backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target’s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor,” Microsoft said.
FoggyWeb is stored in an encrypted file called Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll acts as a loader. The DLL file uses the CLR hosting interfaces and APIs to load FoggyWeb, a managed DLL. This happens in the same Application Domain where the legitimate AD FS managed code is executed.
Thanks to this trick, the malware obtains access to the AD FS codebase and resources, the AD FS configuration database inclusive. Furthermore, the backdoor acquires AD FS service account permissions needed to access the AD FS configuration database.
Since FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations, the report noted.
Since FoggyWeb is AD FS version-agnostic, it doesn’t need to keep track of legacy versus modern configuration table names and schemas, named pipe names and other version-dependent properties of AD FS.
“Protecting AD FS servers is key to mitigating NOBELIUM attacks. Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known NOBELIUM attack chains,” Microsoft concluded.
Last year, the Sunburst Trojan Was Stopped by a Kill Switch
In December 2020, the dangerous Sunburst trojan was stopped by a joint kill switch devised by a team of specialists from Microsoft, GoDaddy, and FireEye.
A lot of information became available about the Sunburst Trojan after it was used in an intrusion attack against SolarWinds. The security incident against the company was reported to be done through their own application called Orion.
Following the discovery of the malware and given the severity of the situation, a joint team of experts devised a kill switch to stop the malware from propagating further. The experts detected that a single hacker-controlled domain is operating the main command and control service.
The kill switch worked by disabling new infections and blocking the running of previous ones by stopping the activity to the domain.