FoggyWeb Malware Used by the Nobelium APT Actors

Revil Ransomware Hits a Law Firm

One of the largest cybercrime campaigns of 2021 was the supply-chain attack against the SolarWinds software vendor. The group behind it, the Nobelium APT, is still active. They are developing different types of malware, and trying to exploit a wide range of Internet-facing Web applications. One of their latest targets appear to be Active Directory Federation Services (AD FS) – in these attacks, the criminals are using a new custom piece of malware dubbed FoggyWeb.

Apart from working as a post-exploitation tool, the FoggyWeb Malware can also come in handy when the hackers want to collect credentials from infected systems. The stolen credentials are often used to exploit and infect more AD FS servers. Allegedly, the FoggyWeb Malware has been active since April 2021. However its activity has been increasing rapidly over the past few months.

FoggyWeb Malware Focuses on Exfiltrating Credentials

The threat appears to be used in highly-targeted attacks, and the criminals are likely to have bigger plans for the future of their operation. This threat works as a backdoor Trojan, which silently collects and exfiltrates data from compromised servers. While its primary focus are login credentials, the implant could also steal specific files or other information. Furthermore, it supports a wide range of remote commands, which the attackers could execute through their command-and-control server. So far, the FoggyWeb Malware appears to be a backdoor with the sole purpose of infecting AD FS servers. Of course, it is possible that the Nobelium hackers might rework it to target other environments and services in the future.

The SolarWinds hackers are likely to rely on cleverly engineered email spearphishing campaigns to deliver the payload. This was the case in May 2021 when they impersonated the US Agency for International Development. Of course, malware propagation tactics that high-profile APT actors use evolve constantly. It would not be a surprise if they opt to explore other techniques as well.

September 28, 2021