Categories: BackdoorMalware

New FoggyWeb Malware Attack & Install a Backdoor On Active Directory FS Servers

Researchers from Microsoft uncovered a new malware from NOBELIUM ATP threat group named FoggyWeb that gains a persistence backdoor on Active Directory Federation Services (AD FS) servers.

NOBELIUM is an infamous APT threat group that is behind the various malware attacks such as SUNBURST backdoor, TEARDROP malware, GoldMax, GoldFinder, and Sibot.

FoggyWeb is a newly uncovered malware from the NOBELIUM group that performs on the post-exploitation process to gain the persistence backdoor access and exfiltrate the configuration database of compromised AD FS servers remotely.

FoggyWeb Attacking AD FS

FoggyWeb was widely observed on April 2021 and is a highly targeting backdoor capable of exfiltrating sensitive information from a compromised AD FS servers.

Its also uses the command & control server to download the additional malicious component and execute into the compromised servers.

Post compromising process, attackers dropping two files in which one has stored a Foggyweb while other files act as a loader responsible for loading the encrypted FoggyWeb backdoor and decrypting the backdoor using Lightweight Encryption Algorithm (LEA).

  • %WinDir%\ADFS\version.dll
  • %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri

Attackers also loading the AD FS service executable with the help of DLL search order hijacking technique.

According to the Microsoft report “After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed.”

It allows attackers to grant backdoor access to the AD FS codebase and resources, also FoggyWeb backdoor as a passive and persistent backdoor when it’s loaded.

The following illustration will define how the actor communicates with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.

FoggyWeb Malware runs in the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database.

In order to option this process, attackers use the ADFSDump that needs to be executed under the user context of the AD FS service account.

“FoggyWeb also gain the programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,”Microsoft said.

Mitigations Suggested by Microsoft:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators’ group membership on all AD FS servers.
  • Require all cloud admins to use multi-factor authentication (MFA).
  • Ensure minimal administration capability via agents.
  • Limit on-network access via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
  • Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
  • Remove unnecessary protocols and Windows features.
  • Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).
  • When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.

Indicators of compromise (IOCs)

TypeThreat NameThreat TypeIndicator
MD5FoggyWebLoader5d5a1b4fafaf0451151d552d8eeb73ec
SHA-1FoggyWebLoaderc896ece073dd01191cbc1d462bc2f47161828a83
SHA-256FoggyWebLoader231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1
MD5FoggyWebBackdoor (encrypted)9ff9401315d0f7258a9fcde0cfdef02b
SHA-1FoggyWebBackdoor (encrypted)4597431f26424cb814c917168fa8d74d01ab7cd1
SHA-256FoggyWebBackdoor (encrypted)da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169
MD5FoggyWebBackdoor (decrypted)e9671d294ce41fe6dbb9637dc0157a88
SHA-1FoggyWebBackdoor (decrypted)85cfeccbb48fd9f498d24711c66e458e0a80cc90
SHA-256FoggyWebBackdoor (decrypted)568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6

Found this article interesting!! Follow us on Linkedin,  Twitter,  Facebook for daily Cyber Security News & Updates

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

19 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

20 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

20 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

21 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

21 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

21 hours ago