FoggyWeb Malware Description
The FoggyWeb Malware is one of the latest threatening additions to the malware arsenal of the APT (Advanced Persistent Threat) group NOBELIUM. This particular group has demonstrated that it has access to resources that far surpass what other cybercrime groups have. The hackers from NOBELIUM employ multiple highly targeted, custom-made powerful threats and are updating their toolkit constantly. Last year's supply-chain attack against SolarWinds is attributed to the group while earlier this year it launched an email campaign where the hackers impersonated the US Agency for Internation Development (USAID).
According to a report by Microsoft, which continues to track the activities of the cybercrime group, the FoogyWeb malware has been in active use since at least April 2021. The malware threat is a passive backdoor with multiple functionalities. It is deployed on compromised Active Directory Federation Services (AD FS) servers. NOBELIUM's goal is to exfiltrate sensitive information from the infected machines with FoggyWeb being capable of collecting the configuration data of the breached AD FS servers, decrypted token-signing certificates, and token-decryption certificates. In addition, the backdoor can be instructed to fetch and execute additional harmful components on the system.
FoggyWeb can attack any AD FS version and it inherits all account permissions required to access the server's configuration database. It also has programmatical access to the legitimate classes, properties, objects, fields, components, and methods, which it then abuses to carry out its threatening activities.