Security News > 2021 > September > Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang

Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group.

The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services servers, exfiltrating credentials, configuration databases, decrypted token-signing and token-decryption certificates, and to download additional components to set up a permanent backdoor and attack the network more widely.

"Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations," Ramin Nafisi, Microsoft Threat Intelligence Centre researcher, wrote in an analysis of the malware.

Systems compromised by the malware will leak credentials and other private data, Microsoft has confirmed, while providing attackers with a remote-controlled backdoor into the server - with a command-and-control system cleverly disguised as HTTP GET and POST requests.

More recently the group succeeded in a phishing attack on Microsoft's support desk, retrieving private customer data which the company confirmed included "Information regarding... Microsoft Services subscriptions" and was used "In some cases" to launch further "Highly-targeted attacks as part of [a] broader campaign."

The FoggyWeb malware is detected in Microsoft Defender Antivirus as Trojan:Win32/FoggyWeb.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/28/active_directory_foggyweb_malware/