FoggyWeb Malware, associated with the Advanced Persistent Threat group NOBELIUM, is yet another threatening addition to the group’s malware arsenal. The group, thought to be from Russia, has employed multiple highly targeted, powerful custom-made threats and seems to be updating its toolkit regularly.
The widely reported and devastating supply-chain attack against SolarWinds in 2020 was attributed to the group. Additionally, earlier in 2021, it launched an email campaign where the hackers impersonated the US Agency for International Development.
According to Microsoft, NOBELIUM’s FoggyWeb Malware has been in active use since at least April 2021. The malware threat has been observed to be a passive backdoor with multiple functionalities. It was seen in deployment on compromised Active Directory Federation Services or ADFS servers.
NOBELIUM’s goal is to obtain data with FoggyWeb being capable of collecting configuration data from the breached ADFS servers, decrypted token-signing certificates, and token-decryption certificates. FoggyWeb also can attack any ADFS version, and it inherits all account permissions required to breach the server’s configuration database.
Dealing with NOBELIUM and FoggyWeb Malware
Entities in both the Public and Private sectors, as well as individuals, should be aware of FoggyWeb Malware. They should scan their systems with reputable malware remediation software to check whether their computers have been compromised by FoggyWeb. If that is the case, they should remove it immediately with a reputable malware remediation software.