The Nobelium hacking group is using a new malware to deploy additional payloads and steal sensitive info from the Active Directory Federation Services (AD FS) servers.
Cozy Bear is a Cybercriminal organization suspected to be linked to one or more Russian intelligence services. It is classified as an advanced persistent threat APT29 by the US federal government. CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM are some of the nicknames given to the group by different cybersecurity organizations.
The malware that was dubbed by the researchers at Microsoft Threat Intelligence Center (MSTIC) FoggyWeb, is a “passive and highly targeted” backdoor able to abuse the Security Assertion Markup Language (SAML) token.
It’s intended to assist attackers in remotely exfiltrating sensitive data from compromised AD FS servers by installing HTTP listeners for actor-defined URIs to intercept GET/POST requests delivered to the AD FS server matching the custom URI patterns.
NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.