MagicWeb Malware

The MagicWeb Malware is another potent threat observed as part of the threatening arsenal of the state-sponsored APT (Advanced Persistent Threat) group known as APT29, NOBELLIUM and Cozy Bear. It is believed that NOBELLIUM has ties to Russia and their typical targets have been government and other critical organizations from Europe, Asia and the US. The MagecWeb Malware allows the attackers to hide their presence on the victim's network. Details about the malware and the way it operates were released in a report by Microsoft.

According to the findings of Microsoft's researchers, MagicWeb represents an evolution of a previously identified malware tool known as FoggyWeb. The hackers could use the older threat to collect the configuration databases of breached ADFS (Active Directory Federation Services) servers, decrypt chosen token-signing/token-decryption certificates, or fetch additional payloads from the operation's Command-and-Control (C2, C&C) server and deploy them to infected systems.

When it comes to MagicWeb specifically, the threat locates and replaces a legitimate DLL ('Microsoft.IdentityServer.Diagnostics.dll') used by ADFS with a new corrupted version capable of manipulating users' authentication certificates. In essence, the NOBELLIUM hackers will be able to validate authentication for any user account on the server, establish persistence within the breached network and have plenty of opportunities to spread even further. It should be noted that to function properly, MagicWeb requires that the cybercriminals already possess admin access to the target ADFS server. Microsoft warns that one such case has already been identified.