Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang
Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group.
The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, exfiltrating credentials, configuration databases, decrypted token-signing and token-decryption certificates, and to download additional components to set up a permanent backdoor and attack the network more widely.
"Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations," Ramin Nafisi, Microsoft Threat Intelligence Centre researcher, wrote in an analysis of the malware.
"FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS."
