Table of Contents
Microsoft has discovered a new malware "MagicWeb" used by NOBELIUM which behind the SolarWinds supply chain attack in December 2020 and which group overlaps with Russian nation-state hacking group widely known as APT29, CozyBear, or The Dukes.
MagicWeb is an enhanced version of FoggyWeb malware.
FoggyWeb was capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components. MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone - Microsoft Security Blog
Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.
#APT #Campaing #Report #IoCs
