Sequretek Advisory - Nobelium Threat Actor's Latest Campaign

A new sophisticated post-compromise malware, MagicWeb, used by the previously known Russia-linked, NOBELIUM Advance Persistent Threat (APT) group, has been in use to maintain persistent access to compromised environments.

• Microsoft security researchers have discovered a post-compromise capability, MagicWeb, which is used by a threat actor previously known as NOBELIUM to maintain persistent access to compromised environments.

• NOBELIUM has actively been targeting government organizations, nongovernmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia.

• NOBELIUM uses the abuse of the identities and credentialed access as a method for maintaining persistence.

• In September 2021, Microsoft disclosed a post-exploitation capability named FoggyWeb, with methods and intent similar to MagicWeb, that was capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components.

• MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly.

Sign Up Here for Download