NOBELIUM group has been spotted using a new malware that allows it to authenticate as anyone in a targeted network. The Russian threat group was observed targeting entities in the U.S., Europe, and Asia.

NOBELIUM and MagicWeb

Microsoft has observed the NOBELIUM group using a new malicious tool MagicWeb and having features similar to the FoggyWeb backdoor. 
  • To carry out an attack, the tool requires admin access to the target ADFS server by replacing a DLL with a tainted version. However, it is suspected this has already happened in at least one case.
  • The tool exfiltrates the configuration database from compromised ADFS servers. It then decrypts the token signing and decryption certificates, and then downloads additional payloads from its C2 server.,
  • The tool replaces a genuine DLL used by ADFS with a malicious one to manipulate user authentication certificates and change claims passed in tokens produced by the infected server.
  • As the ADFS servers facilitate user authentication, the tool allows the attacker in validating authentication for any user account on a server, giving persistence and opportunities for additional malicious activities.

Replacing DLL

  • NOBELIUM replaces the Microsoft.IdentityServer.Diagnostics.dll with a backdoored version with an additional section in the ‘TraceLog’ class.
  • This new section is a static constructor run once during the loading of the DLL while launching the ADFS server.
  • The constructor is used to hook four legitimate ADFS functions, named Build, GetClientCertificate, EndpointConfiguration, and ProcessClaims to perform various actions inside the targeted network.

What to do?

Microsoft suggests following the hunting guidance provided in their report and looking for unsigned DLLs in GAC (Global Assembly Cache) with 365 Defender. Further, listing non-Microsoft signed DLLs in GAC using PowerShell may help in discovering the malicious library replacements.
Cyware Publisher