The Nobelium cybercriminal group has been seen utilising a new malware called MagicWeb Tool that enables them to authenticate as anyone in a targeted system. The Russian-speaking cybercriminal gang was spotted targeting entities in Asia, Europe, and the US with their new tool.
According to Microsoft, the Nobelium group is utilising the MagicWeb kit, which has similar features to the FoggyWeb backdoor. The new tool needs administrative access to the target’s ADFS server by substituting a DLL with a cracked version to carry out its attack.
However, other researchers claimed that the new Nobelium attack had already happened in at least a single instance. The malicious kit steals the configuration database from infected ADFS servers.
The MagicWeb tool can add numerous payloads retrieved from its C2 server.
Subsequently, the MagicWeb tool will decrypt the token signing and decryption certificates and downloads additional payloads from its command-and-control server. It also replaces an authentic DLL utilised by ADFS with a hostile one to control user authentication certificates and change claims passed in tokens manifested by the compromised server.
The tool also allows the threat actors to validate authentication for any user account on a server, as the ADF servers facilitate the user authentication process. This method gives established persistence and opportunities for added malicious activities for the hackers.
The Nobelium group replaces Microsoft[.]IdentityServer[.]Diagnostics[.]dll with a compromised version packed with an additional section in the TraceLog section. The new section is a static constructor operated once by the threat actors during the initiation of the DLL while deploying the ADFS server.
The malicious threat group will then use the constructor to hook four authentic ADFS tools, named EndpointConfiguration, ProcessClaims, Build, and GetClientCertificate, to perform several actions within the targeted network.
As of now, researchers are analysing the attack to come up with a better plan for identifying such activity.
However, experts from Microsoft advised users to follow the hunting guidance given in the report and look for unsigned DLLs in Global Assembly Cache with 365 Defender. Users are also advised to review the listings for non-Microsoft signed DLLs in Global Assembly Cache using PowerShell to help identify the hostile replacements in the library.
