MagicWeb Malware Used by NOBELIUM APT
Microsoft's Threat Intelligence Center published a report on a new piece of malware associated with a Russian-speaking advanced persistent threat actor known under the aliases APT29, Cozy Bear and, under Microsoft's own designation, under the name NOBELIUM.
The new tool used by NOBELIUM is called MagicWeb and according to the report appears to be an evolution of an older malware used by the actor, named FoggyWeb. Both pieces of malware target Active Directory Federation Services (AD FS) platforms and are intended as post-compromise persistence toolkits.
The new MagicWeb malware uses a legitimate DLL that belongs to the AD FS platform and replaces it with a malicious version. This allows the modification of authentication certificates and tokens that the system generates.
Once the malicious DLL is in place, the threat actor can authenticate as practically any user on the compromised AD FS instance. However, to implant the malicious DLL in the first place, the hackers need to gain elevated privilege access to the server, usually through an admin account.
Microsoft did not provide an extensive list of indicators of compromise, as NOBELIUM is known for customizing its infrastructure and the particular "attributes" of each attack.