September 28, 2021 By Pierluigi Paganini
Microsoft discovered new custom malware, dubbed FoggyWeb, used by the Nobelium cyberespionage group to implant backdoor in Windows domains.
Microsoft Threat Intelligence Center (MSTIC) researchers have discovered a new custom malware, dubbed FoggyWeb used by the Nobelium APT group to deploy additional payloads and steal sensitive info from Active Directory Federation Services (AD FS) servers.
FoggyWeb is a post-exploitation backdoor used by the APT group to remotely exfiltrate the configuration database of compromised Active Directory Federation Services (AD FS) servers, decrypted token-signing certificate, and token-decryption certificate, it also allows threat actors to download and execute additional components.