This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
Researchers from Microsoft Threat Intelligence Center (MSTIC) identified FoggyWeb, a new custom malware utilized by the Nobelium APT group to distribute further payloads and steal critical information from Active Directory Federation Services (AD FS) servers.
FoggyWeb is a post-exploitation backdoor utilized by the APT group to remotely exfiltrate the setup databases of affected Active Directory Federation Services (AD FS) servers, as well as the decrypted token-signing and token-decryption certificates. It also enables threat actors to download and execute additional elements.
The analysis published by Microsoft stated, “Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”
“Use of FoggyWeb has been observed in the wild as early as April 2021.”
The hackers load FoggyWeb from the encrypted file Windows.Data.TimeZones.zh-PH.pri using the version.dll DLL. The version.dll is loaded by the AD FS service executable ‘Microsoft.IdentityServer.ServiceHost.exe’ via the DLL search order hijacking approach, which involves the core Common Language Runt
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Nobelium APT Group Uses Custom Backdoor to Target Windows Domains