Security News > 2021 > September > Microsoft: Nobelium uses custom malware to backdoor Windows domains

Microsoft has discovered new malware used by the Nobelium hacking group to deploy additional payloads and steal sensitive info from Active Directory Federation Services servers.

The malware, dubbed by Microsoft Threat Intelligence Center researchers FoggyWeb, is a "Passive and highly targeted" backdoor that abuses the Security Assertion Markup Language token.

"NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components," Microsoft said.

Microsoft has already alerted notified customers that were targeted or compromised using this backdoor.

In May, Microsoft researchers also revealed four other malware families used by Nobelium in their attacks: a downloader known as 'BoomBox,' an HTML attachment named 'EnvyScout,' a shellcode downloader and launcher named 'VaporRage,' and a loader known as 'NativeZone,'.

"They detailed three more Nobelium malware strains used for layered persistence in March: a command-and-control backdoor dubbed 'GoldMax,' a persistence tool and malware dropper named 'Sibot," and an HTTP tracer tool tracked as 'GoldFinder.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-nobelium-uses-custom-malware-to-backdoor-windows-domains/