Researchers at Microsoft observed the activity of Russia-backed Nobelium APT that uses the backdoor after gaining administrative privileges to an Active Directory Federated Services server.
With that elevated privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate.
A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.
AD FS servers can authenticate users. MagicWeb facilitates this on the part of the threat actors by allowing manipulation of the claims passed in authentication tokens generated by an AD FS server; thus, they can authenticate as any user on the network.
MagicWeb is a better iteration of the previously used specialized FoggyWeb tool, which establishes a difficult-to-shake foothold inside victim networks.
MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly, It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.Microsoft explained
NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia
Microsoft Defender Antivirus
Microsoft Defender Antivirus provides detection for this threat under the following malware name:
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint customers may see the following alert as an indication of possible attack:
- ADFS persistent backdoor detected