A new sophisticated post-compromise malware, MagicWeb, used by the previously known Russia-linked, NOBELIUM Advance Persistent Threat (APT) group, has been in use to maintain persistent access to compromised environments.
• Microsoft security researchers have discovered a post-compromise capability, MagicWeb, which is used by a threat actor previously known as NOBELIUM to maintain persistent access to compromised environments.
• NOBELIUM has actively been targeting government organizations, nongovernmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia.
• NOBELIUM uses the abuse of the identities and credentialed access as a method for maintaining persistence.
• In September 2021, Microsoft disclosed a post-exploitation capability named FoggyWeb, with methods and intent similar to MagicWeb, that was capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware components.
• MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly.