{"id":3267,"date":"2021-09-28T19:35:04","date_gmt":"2021-09-28T14:05:04","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3267"},"modified":"2021-09-28T19:35:06","modified_gmt":"2021-09-28T14:05:06","slug":"microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/","title":{"rendered":"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains"},"content":{"rendered":"\n

Microsoft has revealed new malware utilized by the Nobelium hacking gang to set up additional payloads and hijack sensitive info from Active Directory Federation Services (AD FS) servers.<\/p><\/p>\n\n\n\n

Nobelium, the attacker behind last year\u2019s SolarWinds supply-chain attack that led to the negotiation of some US federal agencies, is the hacking division of the Russian Foreign Intelligence Service (SVR), generally known as APT29, The Dukes, or Cozy Bear.<\/p><\/p>\n\n\n\n

The United States government formally exploits the SVR division of carrying out \u201cthe broad-scope cyber espionage campaign.\u201d Cybersecurity firm Volexity also linked the attacks to APT29 operators based on technologies observed in past accidents going back to 2018.<\/p><\/p>\n\n\n\n

Utilized in the Wild since April 2021<\/strong><\/h2>\n\n\n\n

The Malware, dubbed by Microsoft Threat Intelligence Center (MSTIC) investigators FoggyWeb, is a \u201cpassive and highly targeted\u201d backdoor that affects the Security Assertion Markup Language (SAML) token.<\/p><\/p>\n\n\n\n

It is created to help the threat actors remotely exfiltrate sensitive information from negotiated AD FS servers by configuring the HTTP listeners for actor-defined URIs to intercept GET\/POST requests sent to the AD FS server matching the custom URI patterns.<\/p><\/p>\n\n\n\n

\u201cNOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of negotiated AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to the download and run additional components,\u201d Microsoft said.<\/p><\/p>\n\n\n\n

\u201cIt can also receive additional malicious components from a command-and-control (C2) server and run them on the negotiated server.\u201d FoggyWeb works as a persistent backdoor that allows abuse of SAML tokens and configures HTTP listeners for actor-defined URIs to intercept GET\/POST requests sent to the AD FS server that match the custom URI patterns.<\/p><\/p>\n\n\n\n

The Russian state hackers have been observed using the FoggyWeb backdoor in the wild since April 2021.<\/p><\/p>\n\n\n\n

\"Microsoft-Nobelium-Utilizes-Custom-Malware-to-Backdoor-Windows-Domains-image1\"<\/figure><\/div>\n\n\n\n

FoggyWeb Defense Information<\/strong><\/h2>\n\n\n\n

Microsoft has already warned notified customers that were addressed or negotiated using this backdoor.<\/p><\/p>\n\n\n\n

Organizations that believe they might’ve been breached or compromised are advised to:<\/p><\/p>\n\n\n\n

  • Audit on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access<\/li>
  • Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.<\/li>
  • Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.<\/li><\/ul>\n\n\n\n

    In May, Microsoft researchers also reported four other malware families used by Nobelium in their attacks: a downloader known as ‘BoomBox,’ an HTML attachment named ‘EnvyScout,’ a shellcode downloader and launcher named ‘VaporRage,’ and a loader known as ‘NativeZone,’<\/p><\/p>\n\n\n\n

    They reported three more Nobelium malware strains used for layered persistence in March: a command-and-control backdoor dubbed ‘GoldMax,’ a persistence tool and malware dropper named ‘Sibot,” and an HTTP tracer tool tracked as ‘GoldFinder.’<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"

    Microsoft has revealed new malware utilized by the Nobelium hacking gang to set up additional payloads and hijack sensitive info from Active Directory Federation Services (AD FS) servers. Nobelium, the attacker behind last year\u2019s SolarWinds supply-chain attack that led to the negotiation of some US federal agencies, is the hacking division of the Russian Foreign […]<\/p>\n","protected":false},"author":2,"featured_media":3269,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\nMicrosoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Microsoft has revealed new malware utilized by the Nobelium hacking gang to set up additional payloads and hijack sensitive info from Active Directory Federation Services (AD FS) servers. Nobelium, the attacker behind last year\u2019s SolarWinds supply-chain attack that led to the negotiation of some US federal agencies, is the hacking division of the Russian Foreign […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-28T14:05:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-28T14:05:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-Nobelium-Utilizes-Custom-Malware-to-Backdoor-Windows-Domains-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains\",\"datePublished\":\"2021-09-28T14:05:04+00:00\",\"dateModified\":\"2021-09-28T14:05:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\"},\"wordCount\":464,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\",\"url\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\",\"name\":\"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-09-28T14:05:04+00:00\",\"dateModified\":\"2021-09-28T14:05:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains - Xiarch Solutions Private Limited","og_description":"Microsoft has revealed new malware utilized by the Nobelium hacking gang to set up additional payloads and hijack sensitive info from Active Directory Federation Services (AD FS) servers. Nobelium, the attacker behind last year\u2019s SolarWinds supply-chain attack that led to the negotiation of some US federal agencies, is the hacking division of the Russian Foreign […]","og_url":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-09-28T14:05:04+00:00","article_modified_time":"2021-09-28T14:05:06+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-Nobelium-Utilizes-Custom-Malware-to-Backdoor-Windows-Domains-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains","datePublished":"2021-09-28T14:05:04+00:00","dateModified":"2021-09-28T14:05:06+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/"},"wordCount":464,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/","url":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/","name":"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-09-28T14:05:04+00:00","dateModified":"2021-09-28T14:05:06+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/microsoft-nobelium-utilizes-custom-malware-to-backdoor-windows-domains\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft: Nobelium Utilizes Custom Malware to Backdoor Windows Domains"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3267"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3267"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3267\/revisions"}],"predecessor-version":[{"id":3271,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3267\/revisions\/3271"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3269"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}