MagicWeb is the name of a new post-exploitation (post-compromise) tool discovered and detailed by Microsoft security researchers. The tool is attributed to the Nobelium APT (advanced persistent threat) group which uses it to maintain persistent access to compromised systems.
This threat group has been actively targeting government, non-governmental and intergovernmental organizations, as well as think thanks across the United States, Europe, and Central Asia.
MagicWeb Post-Exploitation Malware Discovered by Microsoft
Microsoft researchers believe that MagicWeb was deployed during an ongoing attack by Nobelium in order “to maintain access during strategic remediation steps that could preempt eviction.” This threat actor has been known to exploit identities and access via stolen credentials for the purpose of maintaining persistence. MagicWeb is an expected capability added to the attackers’ arsenal of tools.
Last year, Microsoft revealed another post-exploitation tool possessed by the Nobelium threat actor. Called FoggyWeb, the post-exploit backdoor was leveraged in malicious operations to maintain persistence. Described as “passive” and “highly targeted,” FoggyWeb was also equipped with sophisticated data exfiltration capabilities as well as the ability to download and execute additional components.
In terms of data collection capabilities, MagicWeb “goes beyond” FoggyWeb’s capacity, as it can facilitate covert access directly. The malware is a malicious DLL allowing manipulations of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. MagicWeb “manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML,” Microsoft added.
It is also noteworthy that MagicWeb can be deployed only after gaining highly privileged access to an environment and then moving laterally to an AD FS server. To achieve this purpose, the threat actor created a backdoored DLL by copying the legitimate Microsoft.IdentityServer.Diagnostics.dll file used in AD FS operations.
“The legitimate version of this file is catalog signed by Microsoft and is normally loaded by the AD FS server at startup to provide debugging capabilities,” Microsoft explained. The threat actor backdoored version of the file is unsigned. The access to the AD FS server means that Nobelium could have carried out any number of actions in the compromised environment, but they specifically went for an AD FS server for their goals of persistence and information gathering.