Researchers from Microsoft uncovered a new malware from NOBELIUM ATP threat group named FoggyWeb that gains a persistence backdoor on Active Directory Federation Services (AD FS) servers.
NOBELIUM is an infamous APT threat group that is behind the various malware attacks such as SUNBURST backdoor, TEARDROP malware, GoldMax, GoldFinder, and Sibot.
FoggyWeb is a newly uncovered malware from the NOBELIUM group that performs on the post-exploitation process to gain the persistence backdoor access and exfiltrate the configuration database of compromised AD FS servers remotely.
FoggyWeb Attacking AD FS
FoggyWeb was widely observed on April 2021 and is a highly targeting backdoor capable of exfiltrating sensitive information from a compromised AD FS servers.
Its also uses the command & control server to download the additional malicious component and execute into the compromised servers.
Post compromising process, attackers dropping two files in which one has stored a Foggyweb while other files act as a loader responsible for loading the encrypted FoggyWeb backdoor and decrypting the backdoor using Lightweight Encryption Algorithm (LEA).
- %WinDir%\ADFS\version.dll
- %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri
Attackers also loading the AD FS service executable with the help of DLL search order hijacking technique.
According to the Microsoft report “After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed.”
It allows attackers to grant backdoor access to the AD FS codebase and resources, also FoggyWeb backdoor as a passive and persistent backdoor when it’s loaded.
The following illustration will define how the actor communicates with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.
FoggyWeb Malware runs in the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database.
In order to option this process, attackers use the ADFSDump that needs to be executed under the user context of the AD FS service account.
“FoggyWeb also gain the programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,”Microsoft said.
Mitigations Suggested by Microsoft:
- Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
- Reduce local Administrators’ group membership on all AD FS servers.
- Require all cloud admins to use multi-factor authentication (MFA).
- Ensure minimal administration capability via agents.
- Limit on-network access via host firewall.
- Ensure AD FS Admins use Admin Workstations to protect their credentials.
- Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
- Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
- Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
- Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
- Remove unnecessary protocols and Windows features.
- Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
- Update to the latest AD FS version for security and logging improvements (as always, test first).
- When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.
Indicators of compromise (IOCs)
| Type | Threat Name | Threat Type | Indicator |
| MD5 | FoggyWeb | Loader | 5d5a1b4fafaf0451151d552d8eeb73ec |
| SHA-1 | FoggyWeb | Loader | c896ece073dd01191cbc1d462bc2f47161828a83 |
| SHA-256 | FoggyWeb | Loader | 231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1 |
| MD5 | FoggyWeb | Backdoor (encrypted) | 9ff9401315d0f7258a9fcde0cfdef02b |
| SHA-1 | FoggyWeb | Backdoor (encrypted) | 4597431f26424cb814c917168fa8d74d01ab7cd1 |
| SHA-256 | FoggyWeb | Backdoor (encrypted) | da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169 |
| MD5 | FoggyWeb | Backdoor (decrypted) | e9671d294ce41fe6dbb9637dc0157a88 |
| SHA-1 | FoggyWeb | Backdoor (decrypted) | 85cfeccbb48fd9f498d24711c66e458e0a80cc90 |
| SHA-256 | FoggyWeb | Backdoor (decrypted) | 568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6 |
Found this article interesting!! Follow us on Linkedin,  Twitter,  Facebook for daily Cyber Security News & Updates
