Security News > 2021 > September > Microsoft: Nobelium uses custom malware to backdoor Windows domains
Microsoft has discovered new malware used by the Nobelium hacking group to deploy additional payloads and steal sensitive info from Active Directory Federation Services servers.
The malware, dubbed by Microsoft Threat Intelligence Center researchers FoggyWeb, is a "Passive and highly targeted" backdoor that abuses the Security Assertion Markup Language token.
"NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components," Microsoft said.
Microsoft has already alerted notified customers that were targeted or compromised using this backdoor.
In May, Microsoft researchers also revealed four other malware families used by Nobelium in their attacks: a downloader known as 'BoomBox,' an HTML attachment named 'EnvyScout,' a shellcode downloader and launcher named 'VaporRage,' and a loader known as 'NativeZone,'.
"They detailed three more Nobelium malware strains used for layered persistence in March: a command-and-control backdoor dubbed 'GoldMax,' a persistence tool and malware dropper named 'Sibot," and an HTTP tracer tool tracked as 'GoldFinder.
News URL
Related news
- GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware (source)
- Microsoft to start force-upgrading Windows 22H2 systems next month (source)
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- CISA warns of Windows flaw used in infostealer malware attacks (source)
- Microsoft may have revealed Windows 11 24H2 is coming this month (source)
- Windows users targeted with fake human verification pages delivering malware (source)