Microsoft researchers have identified a previously unknown backdoor called FoggyWeb used by the attackers behind the SolarWinds compromise to target Active Directory Federation Services (AD FS) servers, access and exfiltrate the server’s configuration database, and maintain persistence on machines.
The backdoor has been used in highly targeted attacks against a small number of organizations by the group that Microsoft refers to as Nobelium. The group operates from Russia and is responsible for the attack on SolarWinds late last year that resulted in the compromise of hundreds of the company’s customers, as well. Microsoft itself was also a victim in the same operation, and the company’s researchers have been tracking Nobelium’s movements and tools for months. Nobelium specifically targets AD FS servers and uses a variety of tactics to steal admin credentials for those servers and then install malware and backdoors.
FoggyWeb is the most recently discovered of the group’s tools and Microsoft found that the backdoor had a wide range of functionality and the ability to stay hidden on targeted machines and intercept a wide range of requests.
“NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” Ramin Nafisi of the MIcrosoft Threat Intelligence Center wrote in an analysis of the tool.
“FoggyWeb is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll can be described as its loader. The AD FS service executable Microsoft.IdentityServer.ServiceHost.exe loads the said DLL file via the DLL search order hijackingtechnique that involves the core Common Language Runtime (CLR) DLL files (described in detail in the FoggyWeb loader section). This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.”
Nafisi said that only a small number of Microsoft customers had been targeted with FoggyWeb, all of which have already been notified.
The initial stage of infection involves the use of a loader that has the same name as a legitimate Windows component, called version.dll. That loader downloads and installs in memory the actual backdoor.
“NOBELIUM, with existing administrative permissions, was observed to drop a malicious loader named version.dll in the %WinDir%\ADFS\ folder where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located. Once the system or the AD FS service is restarted, Microsoft.IdentityServer.ServiceHost.exe loads mscoree.dll, which in turn loads mscoreei.dll,” Nafisi said.
“Once loaded, instead of loading the legitimate version.dll from the %WinDir%\System32\ folder mscoreei.dll loads the malicious version.dll planted by the attacker in %WinDir%\ADFS\ folder.”
The FoggyWeb backdoor joins a growing list of other malware associated with Nobelium attacks, including Sunburst and Teardrop, that have been used in other operations this year. Nobelium’s attacks tend to be quite targeted and selective, with the noice around the SolarWinds intrusion being the exception.