Microsoft Threat Intelligence Center (MSTIC) team has discovered a new malware used by an advanced persistent threat (APT) group known as Nobelium, to steal data from compromised Active Directory Federation Services (AD FS) servers, as well as to download and execute additional payloads.

Nobelium is believed to be the group behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. The group’s arsenal includes a variety of tactics to conduct credential theft, as well as sophisticated malware and tools, such as SUNBURST backdoor, TEARDROP, GoldMax, GoldFinder, and Sibot malware.

Microsoft described the discovered malware, which it dubbed FoggyWeb, as a “passive and highly targeted” backdoor that abuses the Security Assertion Markup Language (SAML) token.

“Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021,” Microsoft wrote in a new report.

The backdoor allows the attackers remotely exfiltrate sensitive information from compromised AD FS servers by configuring HTTP listeners for actor-defined URIs to intercept GET/POST requests sent to the AD FS server matching the custom URI patterns. It can also receive additional malicious components from a command and control (C2) server and execute them on the compromised server.

Once compromising an AD FS server, Nobelium drops two files on the system %WinDir%\ADFS\version.dll and %WinDir%\SystemResources\Windows.Data.TimeZones\pris\Windows.Data.TimeZones.zh-PH.pri. The latter contains the FoggyWeb backdoor, while the former acts as a malicious loader responsible for loading an encrypted backdoor file from the file system.

After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application.

“Since FoggyWeb runs in the context of the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database. This contrasts with tools such as ADFSDump that must be executed under the user context of the AD FS service account. Also, because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,” Microsoft said.

More detailed information along with Indicators of Compromise are available in Microsoft’s technical write-up on the topic.