New malware from SolarWinds attackers leaves behind a backdoor

(Image credit: Altalex)

Microsoft cybersecurity researchers have found evidence of a new malware employed by the threat actor behind the high-profile SolarWinds attacks, to create a persistent backdoor into compromised servers.

Dubbed FoggyWeb the malware, which drops a post-exploitation backdoor, was discovered by Microsoft Threat Intelligence Center (MSTIC) as it continues to track the activities of the state-sponsored SolarWinds attackers they refer to as Nobelium.

“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS [Active Directory Federation Services] servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” notes MSTIC researchers in a blog post.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Based on their analysis, the Microsoft researchers believe that Nobelium has been using FoggyWeb in campaigns since as early as April 2021.

Tools of the trade

Unraveling the working on the newly discovered malware, the researchers argue that it ties into Nobelium’s tactics for stealing credentials after compromising the AD FS servers. 

“Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools,” argue the researchers.

That’s where the malware comes into play. Described as a “passive and highly targeted backdoor” FoggyWeb helps attackers remotely exfiltrate sensitive information from a compromised AD FS server.

Digging into the malware, MSTIC researchers learned that FoggyWeb can also receive additional malicious components from a command-and-control (C2) server for further actions on the compromised server.

The researchers add that they’ve shared the details of the malware, including indicators of compromise, with customers who were observed as being targeted or compromised by FoggyWeb.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.