Russia-Linked Nobelium Deploying New ‘FoggyWeb’ Malware –

3rd Party Risk Management , Application Security , Cybercrime

Microsoft: Malware Creates Backdoor to Exfiltrate Sensitive ADFS Server Data

Russia-Linked Nobelium Deploying New 'FoggyWeb' Malware
The steps to set up FoggyWeb’s backdoor (Source: Microsoft)

Nobelium, the cyberespionage group responsible for the SolarWinds supply chain attack, has developed and deployed a new malware dubbed FoggyWeb, according to a Microsoft Threat Intelligence Center blog.

See Also: OnDemand Webinar | Cloud applications: A Zero Trust approach to security in Healthcare

The Russia-linked threat actor uses FoggyWeb to create a backdoor in the servers of Active Directory Federation Services, or ADFS – a Microsoft software component that offers single sign-on solutions to its users – the blog says. As a component of Windows server operating system, ADFS provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication through Active Directory, according to Teju Shyamsundar, senior product marketing manager at identity and access management company Okta.

Nobelium has been using FoggyWeb in the wild since April 2021 to remotely exfiltrate sensitive information from the ADFS servers, according to Microsoft. Customers affected by the malware – whose identities it did not disclose – have already been notified, the company blog adds.

Technical Details

FoggyWeb is “a passive and highly targeted backdoor” that exfiltrates information from compromised ADFS servers, according to Microsoft. It particularly eyes the configuration databases of those servers, decrypted token-signing certificates, and token-decryption certificates, the security blog notes.

The malware can also receive additional malicious components from a command-and-control, or C2, server and execute them on the compromised server, Microsoft adds.

After gaining administrative privileges on the compromised ADFS server, the threat group drops two files that can only be written with these privileges:

  • %WinDir%ADFSversion.dll – the loader file
  • WinDir%SystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri – the encrypted FoggyWeb malware file

The ADFS service executable Microsoft[.]IdentityServer[.]ServiceHost[.]exe uses the DLL search order hijacking technique to load the said DLL file, according to Microsoft.

“This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm routine to decrypt the backdoor in memory,” the blog notes.

The malware is then loaded into the ADFS application by leveraging Microsoft’s virtual machine component CLR’s hosting interfaces and APIs in the same application domain. By taking this approach, it inherits the ADFS service account permissions required to access the configuration database, granting backdoor access to the ADFS codebase and resources, including the ADFS configuration database, Microsoft says.

Once installed, the backdoor monitors all incoming HTTP GET and POST requests sent to the ADFS server from the intranet/internet, and intercepts HTTP requests that match the custom URI patterns defined by the actor.

Fig2 FoggyWeb NOBELIUM ProxyEgg Russia-Linked Nobelium Deploying New 'FoggyWeb' Malware -

Methodology used by the threat actor to communicate with the FoggyWeb backdoor (Source: Microsoft)

Microsoft’s researchers say the most commonly configured listeners they have observed have the following HTTP GET and POST URI patterns:

  • /adfs/portal/images/theme/light01/profile.webp – Retrieves the token-signing certificate;
  • /adfs/portal/images/theme/light01/background.webp – Retrieves the token decryption certificate;
  • /adfs/portal/images/theme/light01/logo.webp – Retrieves the AD FS configuration data of the compromised server;
  • /adfs/services/trust/2005/samlmixed/upload – Used to download additional components from the C2 server.


Protecting ADFS servers is key to mitigating Nobelium attacks. Detecting and blocking the malware, the attacker’s activity, and other malicious artifacts on ADFS servers can break the attack chain.

Microsoft says it has implemented detection and protection parameters against FoggyWeb based on the indicators of compromise registered so far. It adds that ADFS deployments can also be strengthened by:

  • Restricting ADFS administrators’ access and rights;
  • Reducing group memberships on all ADFS servers;
  • Setting logging to the highest level and sending the ADFS and security logs to a SIEM to correlate with Active Directory authentication as well as Azure or other similar active directories;
  • Limiting on-network access via host firewall.

Microsoft offers detailed steps to secure ADFS and Web Application Proxy.

About Nobelium

Nobelium, also called UNC2542 by FireEye, StellarParticle by CrowdStrike, and Cozy Bear or APT29 by others, has been linked to Russia’s Foreign Intelligence Service, or SVR.

In March, researchers at Microsoft and FireEye disclosed that the hacker group had begun to use malware such as GoldMax, GoldFinder, Sibot and Sunshuttle (see: Researchers Disclose More Malware Used in SolarWinds Attack).

In July, Cozy Bear claimed to have gained access to the Republican National Committee through its connection to Synnex Corp., an IT services provider that reported an intrusion attempt against it (see: Republican National Committee Says Systems Weren’t Breached).

In August, the attackers compromised at least one email account at 27 U.S. attorneys’ offices in 15 states and Washington, D.C., throughout 2020, according to the U.S. Department of Justice. These various intrusions at federal prosecutors’ offices targeted the Microsoft Office 365 accounts belonging to department employees. The attackers were able to access all email communications as well as message attachments, the Justice Department notes (see: SolarWinds Attackers Accessed US Attorneys’ Office Emails).

In September, design software and 3D technology firm Autodesk acknowledged that it had been targeted by Nobelium, according to a financial filing with the U.S. Securities and Exchange Commission (see: Autodesk Says Company Was Targeted by SolarWinds Attackers).

Source of this news:

Related posts:

Intercepting HTTP traffic with Burp Proxy - The Daily Swig
In this tutorial, you'll use a live, deliberately vulnerable website to learn how to intercept and modify HTTP requests with Burp Proxy. Intercepting a request Burp Proxy lets you intercept HTTP r...
Ebooks, books that mattered to me this winter - The Cancer Flex letter
Skip for navigation Skip to content Subscription Change Our change will be effective at once and your card will be recharged a prorated amount dependent upon your ex...
Tales Battle is Launching its 3D NFT Multiverse World wide Game - MENAFN. COM
( MENAFN - Zex PR Wire) Wroclaw, Poland, thirteen Jan 2022, ZEXPRWIRE , Legends Endeavor, a 3D NFT Multiverse web game on the blockchain, is launching soon. This comes with an innovative ...
5 Ways Proxies Will Help You Get More Business on Social Media - Techzone360
Proxies are a fundamental link between your computer and the rest of the internet. While they safely secure your privacy and identity, a proxy address also ensures anonymity. This is the top reason w...
Asustor Drivestor 2 Pro AS3302T - Review 2021 - PCMag India
Designed for use as a personal cloud server, the Asustor Drivestor 2 Pro ($249) is a reasonably priced two-bay NAS that offers multi-gig connectivity and numerous USB ports. It also has a generous ca...
SSH Host Based Authentication - Security Boulevard
IntroductionAre you an organization that manages or hosts a huge pool of resources on remote locations/servers? Well, host-based authority-validation technique is the most-suited way to manage the a...
Good Tennessee vaccine official relates she was fired previously mentioned shots for teens : Baltimo...
As in much of the is actually, Tennessee’s virus outlook is carrying improved significantly since the the winter months, when cases soared. Inside the past two weeks, the number of unveiled repor...
The Vatican's Copyright Infringement Suit; Art Infringement - The National Law Review
Friday, June 18, 2021 Street artist Alessia Babrow has sued the Vatican, alleging that the Philatelic and Numismatic Office of the Vatican City State copied her artwork without her permission ...
Educate Yourself To Improve Your Online Privacy - Youth Incorporated -
Photo by Ed Webster from Pexels The internet is vast, and it connects millions of devices. Regardless of who you are and what you do, using a private proxy is beneficial. In recent years, private pro...
Trend Electronics : Annual Report 2019-20 -
Oracle Cloud now provides Arm CPUs at one cent per core hour - iTWire
Oracle today announced a new range of Arm compute instances based on Ampere’s ARM processors along with the tools and support to accelerate Arm-based application development. The new Arm offerings c...
Meet the Baconator — ProPublica - ProPublica
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published. This post was co-published with Source. As a member of...
Study workers Discover Microsoft-Signed FiveSys Rootkit in the Wild - Usually the Hacker News
A newly identified rootkit has been found with a valid digital signature issued by Microsoft that's used to proxy traffic to internet addresses of interest to the attackers for over a year targ...
Key Reasons to Have a Proxy Server for Online Business in 2022 - Legal Reader
A proxy server acts as a go-between for your device and the destination website. The ordinary individual usually has just a hazy idea of what a proxy server is for. If you’re like the majority of ...
Deutsche Bank AG (DB) Q3 2021 Earnings Call Transcript - The Motley Fool
Image source: The Motley Fool. Deutsche Bank AG (NYSE:DB)Q3 2021 Earnings CallOct 27, 2021, 7:00 a.m. ETContents: Prepared Remarks Questions and Answers Call Participants Prepared Rema...
Contingent announces H4000 Essential for reasonable teams - Televisual
Quantum has published the release of the H4000 A must, an all-in-one appliance in which integrates Quantum CatDV about asset management and Dole StorNext 7 shared storage software on the H4000 li...
iOS 15: How to Hide Your primary IP Address From Trackers over Safari - MacRumors
20+ New iOS 16, iPadOS 16, and watchOS being unfaithful Features and Improvements Rumored to Arrive at WWDC 2022 The Girl Developers Conference (WWDC), Apple's annual developer and software-o...
ESET takes part in global operation to disrupt Zloader botnets - We Live Security
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses ESET has collaborated with partners Microsoft’s Digital Cri...

IP Rotating Proxy Onsale


First month free with coupon code FREE30