A Custom Malware Is Used by Nobelium APT to Backdoor Windows Domains

The hacking group is using a new malware to deploy additional payloads and steal sensitive info from the Federation Services (AD FS) servers.

Cozy Bear is a Cybercriminal organization suspected to be linked to one or more Russian intelligence services. It is classified as an advanced persistent threat APT29 by the US federal government. CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM are some of the nicknames given to the group by different cybersecurity .

It’s intended to assist attackers in remotely exfiltrating sensitive from compromised AD FS servers by installing HTTP listeners for actor-defined URIs to intercept GET/POST requests delivered to the AD FS server matching the custom URI patterns.

token-signing certificatetoken-decryption certificate, as well as to download and execute additional components. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.


Read More: https://heimdalsecurity.com/blog/a-custom-malware-is-used-by-nobelium-apt-to-backdoor-windows-domains/