Nobelium APT uses new Post-Compromise malware MagicWeb

Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb.

Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments. 

The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted the supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.

NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

The Microsoft Threat Intelligence Center (MSTIC) researchers believe that MagicWeb was likely deployed during an ongoing compromise by NOBELIUM.

The researchers pointed out that Nobelium APT is still highly active, it managed multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia.

The experts found multiple similarities with the FoggyWeb malware that was detailed by Microsoft in September 2021.

FoggyWeb allows operators to exfiltrate the configuration database of compromised AD FS servers, decrypt token-signing certificates and token-decryption certificates, and download and execute additional malware components. MagicWeb implements the above capabilities and also allows the manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. The malware is able to manipulate the user authentication certificates which are used for authentication, not the signing certificates used in attacks like Golden SAML.

MagicWeb is a malicious DLL, a tainted version of the Microsoft.IdentityServer.Diagnostics.dll file, used in AD FS operations. Once gained administrative access to an AD FS server via elevation of privilege and lateral movement, the attackers load the malicious DLL into the AD FS process by editing C:\Windows\AD FS\Microsoft.IdentityServer.Servicehost.exe.config to specify a different public token, which controls what loads into the AD FS process when it is started.

“NOBELIUM was able to deploy MagicWeb by first gaining access to highly privileged credentials and moving laterally to gain administrative privileges to an AD FS system. This is not a supply chain attack. The attacker had admin access to the AD FS system and replaced a legitimate DLL with their own malicious DLL, causing malware to be loaded by AD FS instead of the legitimate binary.” reads the analysis published by Microsoft. “Like domain controllers, AD FS servers can authenticate users and should therefore be treated with the same high level of security. Customers can defend against MagicWeb and other backdoors by implementing a holistic security strategy including the AD FS hardening guidance.” 

“NOBELIUM’s ability to deploy MagicWeb hinged on having access to highly privileged credentials that had administrative access to the AD FS servers, giving them the ability to perform whatever malicious activities they wanted to on the systems they had access to.” concludes the report. “It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MagicWeb)

[adrotate banner=”5″]

[adrotate banner=”13″]