Home / About / Threat Intelligence / MagicWeb malware targets authentication certificates

Target Industry

Government and non-governmental organisations (NGOs)

Overview

Severity level: High

Cyber threat group NOBELIUM (APT29), responsible for the 2020 SolarWinds attack, has released malware utilising a new capability that has been designated as MagicWeb by Microsoft. This malware contains a malicious dynamic link library (DLL) that enables the manipulation of tokens generated by the Active Directory Federation Service (ADFS). It thereby manipulates authentication certificates, allowing the creation of a backdoor within the target system and the ability to authenticate as any user account, giving them an abundance of lateral opportunities.

However, before this malware can be used effectively, the attacker must already have access to the target system via other means.

Impact

An attacker with high-level system access has the ability to plant a backdoor by replacing the legitimate DLL with the malicious MagicWeb version. If the malware remains undetected, it can provide extensive network persistence for the attacker, enabling them to covertly extract C2 data.

Vulnerability Detection

Hunt for malware across Windows event logs by enabling the collection of ADFS verbose logs and search for ‘Event ID 501’ to identify all extended key usage.

Customers using Microsoft Sentinel with enabled verbose mode logging can use this query to search for suspicious object identifiers (OIDs).

For customers using Microsoft 365 Defender, the following query can be run to surface all unsigned DLLs in the global assembly cache created within the past 60 days:

DeviceFileEvents
| where Timestamp between( ago(60d)..now() )
| where FolderPath has @”C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.IdentityServer.”
and FileName endswith “.dll”
| join (
DeviceFileCertificateInfo
| where not(IsSigned)
) on SHA1

Affected Products

Indiscriminate Windows systems.

Containment, Mitigations & Remediations

The ability to deploy MagicWeb depends on whether the attackers already have access to highly privileged credentials of the target system. Therefore, strong credential hygiene is an essential mitigating measure to defend against the threat. This includes the use of multi-factor authentication (MFA) and NCSC recommended password protection.

Key to this malware success is the infiltration of the ADFS, therefore it is strongly advised that customers treat ADFS servers as a tier 0 asset, and a robust ADFS hardening strategy is implemented.

Indicators of Compromise

Microsoft Defender Antivirus search: Trojan:MSIL/MagicWeb.A!dha

Microsoft Defender Endpoint alert: ADFS persistent backdoor detected

NOBELIUM often customises its infrastructure per attack, thereby minimising collateral risk should their attack attributes be discovered. If MagicWeb is identified in your environment, it’s unlikely to match indicators of compromise (IOCs) from other targets. It’s recommended to use the hunting guidance provided within this report to investigate your environment.

Threat Landscape

As a Russian state-sponsored threat actor, NOBELIUM’s primary target remains western governments and NGOs. Western support for the ongoing conflict in Ukraine is exacerbating Russian cyber offensives and will likely continue for the foreseeable future.

NOBELIUM is reportedly responsible for a number of high-profile attacks in the past, including the 2020 SolarWinds attack and the development of MagicWeb’s predecessor, Foggy Web.

Threat Group

NOBELIUM (APT29)

Mitre Methodologies

T1140 – Deobfuscate/Decode Files or Information

T1036 – Masquerading

T1005 – Data from Local System

T1071 – Application Layer Protocol

T1106 – Native API

T1552.004 – Unsecured Credentials: Private Keys

T1550 – Use Alternate Authentication Material

Further Information

Microsoft MagicWeb report

Microsoft Recommendation