3rd Party Risk Management , Application Security , Cybercrime

Russia-Linked Nobelium Deploying New 'FoggyWeb' Malware

Microsoft: Malware Creates Backdoor to Exfiltrate Sensitive ADFS Server Data
Russia-Linked Nobelium Deploying New 'FoggyWeb' Malware
The steps to set up FoggyWeb's backdoor (Source: Microsoft)

Nobelium, the cyberespionage group responsible for the SolarWinds supply chain attack, has developed and deployed a new malware dubbed FoggyWeb, according to a Microsoft Threat Intelligence Center blog.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

The Russia-linked threat actor uses FoggyWeb to create a backdoor in the servers of Active Directory Federation Services, or ADFS - a Microsoft software component that offers single sign-on solutions to its users - the blog says. As a component of Windows server operating system, ADFS provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication through Active Directory, according to Teju Shyamsundar, senior product marketing manager at identity and access management company Okta.

Nobelium has been using FoggyWeb in the wild since April 2021 to remotely exfiltrate sensitive information from the ADFS servers, according to Microsoft. Customers affected by the malware - whose identities it did not disclose - have already been notified, the company blog adds.

Technical Details

FoggyWeb is "a passive and highly targeted backdoor" that exfiltrates information from compromised ADFS servers, according to Microsoft. It particularly eyes the configuration databases of those servers, decrypted token-signing certificates, and token-decryption certificates, the security blog notes.

The malware can also receive additional malicious components from a command-and-control, or C2, server and execute them on the compromised server, Microsoft adds.

After gaining administrative privileges on the compromised ADFS server, the threat group drops two files that can only be written with these privileges:

  • %WinDir%ADFSversion.dll - the loader file
  • WinDir%SystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri - the encrypted FoggyWeb malware file

The ADFS service executable Microsoft[.]IdentityServer[.]ServiceHost[.]exe uses the DLL search order hijacking technique to load the said DLL file, according to Microsoft.

"This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm routine to decrypt the backdoor in memory," the blog notes.

The malware is then loaded into the ADFS application by leveraging Microsoft's virtual machine component CLR's hosting interfaces and APIs in the same application domain. By taking this approach, it inherits the ADFS service account permissions required to access the configuration database, granting backdoor access to the ADFS codebase and resources, including the ADFS configuration database, Microsoft says.

Once installed, the backdoor monitors all incoming HTTP GET and POST requests sent to the ADFS server from the intranet/internet, and intercepts HTTP requests that match the custom URI patterns defined by the actor.

Methodology used by the threat actor to communicate with the FoggyWeb backdoor (Source: Microsoft)

Microsoft's researchers say the most commonly configured listeners they have observed have the following HTTP GET and POST URI patterns:

  • /adfs/portal/images/theme/light01/profile.webp - Retrieves the token-signing certificate;
  • /adfs/portal/images/theme/light01/background.webp - Retrieves the token decryption certificate;
  • /adfs/portal/images/theme/light01/logo.webp - Retrieves the AD FS configuration data of the compromised server;
  • /adfs/services/trust/2005/samlmixed/upload - Used to download additional components from the C2 server.


Protecting ADFS servers is key to mitigating Nobelium attacks. Detecting and blocking the malware, the attacker's activity, and other malicious artifacts on ADFS servers can break the attack chain.

Microsoft says it has implemented detection and protection parameters against FoggyWeb based on the indicators of compromise registered so far. It adds that ADFS deployments can also be strengthened by:

  • Restricting ADFS administrators' access and rights;
  • Reducing group memberships on all ADFS servers;
  • Setting logging to the highest level and sending the ADFS and security logs to a SIEM to correlate with Active Directory authentication as well as Azure or other similar active directories;
  • Limiting on-network access via host firewall.

Microsoft offers detailed steps to secure ADFS and Web Application Proxy.

About Nobelium

Nobelium, also called UNC2542 by FireEye, StellarParticle by CrowdStrike, and Cozy Bear or APT29 by others, has been linked to Russia's Foreign Intelligence Service, or SVR.

In March, researchers at Microsoft and FireEye disclosed that the hacker group had begun to use malware such as GoldMax, GoldFinder, Sibot and Sunshuttle (see: Researchers Disclose More Malware Used in SolarWinds Attack).

In July, Cozy Bear claimed to have gained access to the Republican National Committee through its connection to Synnex Corp., an IT services provider that reported an intrusion attempt against it (see: Republican National Committee Says Systems Weren't Breached).

In August, the attackers compromised at least one email account at 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020, according to the U.S. Department of Justice. These various intrusions at federal prosecutors' offices targeted the Microsoft Office 365 accounts belonging to department employees. The attackers were able to access all email communications as well as message attachments, the Justice Department notes (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).

In September, design software and 3D technology firm Autodesk acknowledged that it had been targeted by Nobelium, according to a financial filing with the U.S. Securities and Exchange Commission (see: Autodesk Says Company Was Targeted by SolarWinds Attackers).

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.