Microsoft cybersecurity researchers have found evidence of a new malware employed by the threat actor behind the high-profile SolarWinds attacks, to create a persistent backdoor into compromised servers.
Dubbed FoggyWeb the malware, which drops a post-exploitation backdoor, was discovered by Microsoft Threat Intelligence Center (MSTIC) as it continues to track the activities of the state-sponsored SolarWinds attackers they refer to as Nobelium.
“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS [Active Directory Federation Services] servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” notes MSTIC researchers in a blog post.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- Here's our choice of the best malware removal software on the market
- These are the best ransomware protection tools
- Check our roundup of the best endpoint protection tools
Based on their analysis, the Microsoft researchers believe that Nobelium has been using FoggyWeb in campaigns since as early as April 2021.
Tools of the trade
Unraveling the working on the newly discovered malware, the researchers argue that it ties into Nobelium’s tactics for stealing credentials after compromising the AD FS servers.
“Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools,” argue the researchers.
That’s where the malware comes into play. Described as a “passive and highly targeted backdoor” FoggyWeb helps attackers remotely exfiltrate sensitive information from a compromised AD FS server.
Digging into the malware, MSTIC researchers learned that FoggyWeb can also receive additional malicious components from a command-and-control (C2) server for further actions on the compromised server.
The researchers add that they’ve shared the details of the malware, including indicators of compromise, with customers who were observed as being targeted or compromised by FoggyWeb.
- Protect your devices with these best antivirus software